2000 character limit reached
Securing Recommender System via Cooperative Training (2401.12700v1)
Published 23 Jan 2024 in cs.AI
Abstract: Recommender systems are often susceptible to well-crafted fake profiles, leading to biased recommendations. Among existing defense methods, data-processing-based methods inevitably exclude normal samples, while model-based methods struggle to enjoy both generalization and robustness. To this end, we suggest integrating data processing and the robust model to propose a general framework, Triple Cooperative Defense (TCD), which employs three cooperative models that mutually enhance data and thereby improve recommendation robustness. Furthermore, Considering that existing attacks struggle to balance bi-level optimization and efficiency, we revisit poisoning attacks in recommender systems and introduce an efficient attack strategy, Co-training Attack (Co-Attack), which cooperatively optimizes the attack optimization and model training, considering the bi-level setting while maintaining attack efficiency. Moreover, we reveal a potential reason for the insufficient threat of existing attacks is their default assumption of optimizing attacks in undefended scenarios. This overly optimistic setting limits the potential of attacks. Consequently, we put forth a Game-based Co-training Attack (GCoAttack), which frames the proposed CoAttack and TCD as a game-theoretic process, thoroughly exploring CoAttack's attack potential in the cooperative training of attack and defense. Extensive experiments on three real datasets demonstrate TCD's superiority in enhancing model robustness. Additionally, we verify that the two proposed attack strategies significantly outperform existing attacks, with game-based GCoAttack posing a greater poisoning threat than CoAttack.
- Himeur, Y., Sayed, A., Alsalemi, A., Bensaali, F., Amira, A., Varlamis, I., Eirinaki, M., Sardianos, C., Dimitrakopoulos, G.: Blockchain-based recommender systems: Applications, challenges and future opportunities. Computer Science Review 43, 100439 (2022) Lian et al. [2020] Lian, D., Wu, Y., Ge, Y., Xie, X., Chen, E.: Geography-aware sequential location recommendation. In: Proceedings of KDD’20, pp. 2009–2019 (2020) Chevalier and Mayzlin [2006] Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lian, D., Wu, Y., Ge, Y., Xie, X., Chen, E.: Geography-aware sequential location recommendation. In: Proceedings of KDD’20, pp. 2009–2019 (2020) Chevalier and Mayzlin [2006] Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Lian, D., Wu, Y., Ge, Y., Xie, X., Chen, E.: Geography-aware sequential location recommendation. In: Proceedings of KDD’20, pp. 2009–2019 (2020) Chevalier and Mayzlin [2006] Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Chevalier, J.A., Mayzlin, D.: The effect of word of mouth on sales: Online book reviews. J Mark Res 43(3), 345–354 (2006) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E.: Triple adversarial learning for influence based poisoning attack in recommender systems. In: Proceedings of KDD’21, pp. 1830–1840 (2021) Li et al. [2016] Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. NIPS 29, 1885–1893 (2016) Lin et al. [2020] Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Lin, C., Chen, S., Li, H., Xiao, Y., Li, Q. Lianyun and Yang: Attacking recommender systems with augmented user profiles. In: CIKM, pp. 855–864 (2020) Liu et al. [2014] Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Liu, H., Hu, Z., Mian, A., Tian, H., Zhu, X.: A new user similarity model to improve the accuracy of collaborative filtering. KBS 56, 156–166 (2014) Madry et al. [2017] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv (2017) Wu et al. [2021] Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., Yuan, S.: Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. In: SIGIR, pp. 1074–1083 (2021) Nguyen Thanh et al. [2023] Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Nguyen Thanh, T., Quach, N.D.K., Nguyen, T.T., Huynh, T.T., Vu, V.H., Nguyen, P.L., Jo, J., Nguyen, Q.V.H.: Poisoning gnn-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41(3), 1–24 (2023) Lam and Riedl [2004] Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Lam, S.K., Riedl, J.: Shilling recommender systems for fun and profit. In: WWW, pp. 393–402 (2004) Burke et al. [2006] Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Burke, R., Mobasher, B., Williams, C., Bhaumik, R.: Classification features for attack detection in collaborative recommender systems. In: KDD, pp. 542–547 (2006) Cohen et al. [2021] Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Cohen, R., Sar Shalom, O., Jannach, D., Amir, A.: A black-box attack model for visually-aware recommender systems. In: Proceedings of the 14th ACM International Conference on Web Search and Data Mining, pp. 94–102 (2021) Yue et al. [2021] Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yue, Z., He, Z., Zeng, H., McAuley, J.: Black-box attacks on sequential recommenders via data-free model extraction. In: Proceedings of the 15th ACM Conference on Recommender Systems, pp. 44–54 (2021) Zhang et al. [2022] Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, S., Yin, H., Chen, T., Huang, Z., Nguyen, Q.V.H., Cui, L.: Pipattack: Poisoning federated recommender systems for manipulating item promotion. In: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, pp. 1415–1423 (2022) Fang et al. [2018] Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018) Huang et al. [2021] Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., Xu, M.: Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021) Wang et al. [2022] Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Wang, Q., Lian, D., Wu, C., Chen, E.: Towards robust recommender systems via triple cooperative defense. In: Web Information Systems Engineering–WISE 2022: 23rd International Conference, Biarritz, France, November 1–3, 2022, Proceedings, pp. 564–578 (2022). Springer Du et al. [2018] Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Du, Y., Fang, M., Yi, J., Xu, C., Cheng, J., Tao, D.: Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multimedia 21(3), 555–565 (2018) Si and Li [2020] Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Si, M., Li, Q.: Shilling attacks against collaborative recommender systems: a review. Artif Intell Rev 53(1), 291–319 (2020) Ovaisi et al. [2022] Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., Xiong, C.: Rgrecsys: A toolkit for robustness evaluation of recommender systems. arXiv (2022) Chen et al. [2021] Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Chen, L., Xu, Y., Xie, F., Huang, M., Zheng, Z.: Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32(6), 3872 (2021) Guo et al. [2017] Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: Deepfm: a factorization-machine based neural network for ctr prediction. arXiv (2017) He et al. [2017] He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- He, X., Liao, L., Zhang, H., Nie, L., Hu, X., Chua, T.-S.: Neural collaborative filtering. In: WWW, pp. 173–182 (2017) Fang et al. [2020] Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Fang, M., Gong, N.Z., Liu, J.: Influence function based data poisoning attacks to top-n recommender systems. In: Proceedings of The Web Conference 2020, pp. 3019–3025 (2020) Tang et al. [2020] Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Tang, J., Wen, H., Wang, K.: Revisiting adversarially learned injection attacks against recommender systems. In: RecSys, pp. 318–327 (2020) Jin et al. [2020] Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Jin, B., Lian, D., Liu, Z., Liu, Q., Ma, J., Xie, X., Chen, E.: Sampling-decomposable generative adversarial recommender. Adv Neur In 33, 22629–22639 (2020) Christakopoulou and Banerjee [2019] Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Christakopoulou, K., Banerjee, A.: Adversarial attacks on an oblivious recommender. In: RecSys, pp. 322–330 (2019) Li et al. [2017] Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Li, C., Xu, T., Zhu, J., Zhang, B.: Triple generative adversarial nets. Advances in neural information processing systems 30 (2017) Yang et al. [2017] Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017) Oh and Kumar [2022] Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Oh, S., Kumar, S.: Robustness of deep recommendation systems to untargeted interaction perturbations. arXiv (2022) Fan et al. [2021] Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Fan, W., Derr, T., Zhao, X., Ma, Y., Liu, H., Wang, J., Tang, J., Li, Q.: Attacking black-box recommendations via copying cross-domain user profiles. In: ICDE, pp. 1583–1594 (2021). IEEE Song et al. [2020] Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., Gao, J.: Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In: ICDE, pp. 157–168 (2020). IEEE Deldjoo et al. [2021] Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54(2), 1–38 (2021) Yang et al. [2016] Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yang, Z., Xu, L., Cai, Z., Xu, Z.: Re-scale adaboost for attack detection in collaborative filtering recommender systems. Knowledge-Based Systems 100, 74–88 (2016) Ge et al. [2022] Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Ge, Y., Liu, S., Fu, Z., Tan, J., Li, Z., Xu, S., Li, Y., Xian, Y., Zhang, Y.: A survey on trustworthy recommender systems. arXiv preprint arXiv:2207.12515 (2022) Zhang et al. [2015] Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., Ma, S.: Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In: Twenty-fourth International Joint Conference on Artificial Intelligence (2015) Zhang et al. [2018] Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, F., Zhang, Z., Zhang, P., Wang, S.: Ud-hmm: An unsupervised method for shilling attack detection based on hidden markov model and hierarchical clustering. Knowledge-Based Systems 148, 146–166 (2018) Zhang and Kulkarni [2014] Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, Z., Kulkarni, S.R.: Detection of shilling attacks in recommender systems via spectral clustering. In: FUSION, pp. 1–8 (2014). IEEE Cao et al. [2013] Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Cao, J., Wu, Z., Mao, B., Zhang, Y.: Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. WWW 16(5-6), 729–748 (2013) Cheng and Hurley [2009] Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Cheng, Z., Hurley, N.: Effective diverse and obfuscated attacks on model-based recommender systems. In: Proceedings of the Third ACM Conference on Recommender Systems, pp. 141–148 (2009) Athalye et al. [2018] Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018). PMLR Machado et al. [2021] Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Machado, G.R., Silva, E., Goldschmidt, R.R.: Adversarial machine learning in image classification: A survey toward the defender’s perspective. CSUR (1), 1–38 (2021) He et al. [2018] He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- He, X., He, Z., Du, X., Chua, T.-S.: Adversarial personalized ranking for recommendation. In: SIGIR, pp. 355–364 (2018) Li et al. [2020] Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Li, R., Wu, X., Wang, W.: Adversarial learning to compare: Self-attentive prospective customer recommendation in location based social networks. In: WSDM, pp. 349–357 (2020) Park and Chang [2019] Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Park, D.H., Chang, Y.: Adversarial sampling and training for semi-supervised information retrieval. In: The World Wide Web Conference, pp. 1443–1453 (2019) Tang et al. [2019] Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Tang, J., Du, X., He, X., Yuan, F., Tian, Q., Chua, T.-S.: Adversarial training towards robust multimedia recommender system. IEEE Transactions on Knowledge and Data Engineering 32(5), 855–867 (2019) Yue et al. [2022] Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yue, Z., Zeng, H., Kou, Z., Shang, L., Wang, D.: Defending substitution-based profile pollution attacks on sequential recommenders. In: Proceedings of the 16th ACM Conference on Recommender Systems, pp. 59–70 (2022) Hidano and Kiyomoto [2020] Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Hidano, S., Kiyomoto, S.: Recommender systems robust to data poisoning using trim learning. In: ICISSP, pp. 721–724 (2020) Zhang et al. [2017] Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, F., Lu, Y., Chen, J., Liu, S., Ling, Z.: Robust collaborative filtering based on non-negative matrix factorization and r1-norm. Knowledge-based systems 118, 177–190 (2017) Yu et al. [2017] Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yu, H., Gao, R., Wang, K., Zhang, F.: A novel robust recommendation method based on kernel matrix factorization. Journal of Intelligent & Fuzzy Systems 32(3), 2101–2109 (2017) Smith and Linden [2017] Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Smith, B., Linden, G.: Two decades of recommender systems at amazon. com. Ieee internet computing 21(3), 12–18 (2017) Gomez-Uribe and Hunt [2015] Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Gomez-Uribe, C.A., Hunt, N.: The netflix recommender system: Algorithms, business value, and innovation. ACM Transactions on Management Information Systems (TMIS) 6(4), 1–19 (2015) WU et al. [2014] WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- WU, Z., WANG, Y., CAO, J.: A survey on shilling attack models and detection techniques for recommender systems. Chinese Sci Bull 59(7), 551–560 (2014) Zhang et al. [2020] Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., Kankanhalli, M.: Attacks which do not kill training make adversarial learning stronger. In: ICML, pp. 11278–11287 (2020). PMLR Yuan et al. [2019] Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Yuan, F., Yao, L., Benatallah, B.: Adversarial collaborative neural network for robust recommendation. In: SIGIR, pp. 1065–1068 (2019) Raghunathan et al. [2019] Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019) Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)
- Raghunathan, A., Xie, S.M., Yang, F., Duchi, J.C., Liang, P.: Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032 (2019)