Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures (2404.14942v1)

Published 23 Apr 2024 in cs.CR, cs.IR, and cs.LG

Abstract: Recommender systems have become an integral part of online services to help users locate specific information in a sea of data. However, existing studies show that some recommender systems are vulnerable to poisoning attacks, particularly those that involve learning schemes. A poisoning attack is where an adversary injects carefully crafted data into the process of training a model, with the goal of manipulating the system's final recommendations. Based on recent advancements in artificial intelligence, such attacks have gained importance recently. While numerous countermeasures to poisoning attacks have been developed, they have not yet been systematically linked to the properties of the attacks. Consequently, assessing the respective risks and potential success of mitigation strategies is difficult, if not impossible. This survey aims to fill this gap by primarily focusing on poisoning attacks and their countermeasures. This is in contrast to prior surveys that mainly focus on attacks and their detection methods. Through an exhaustive literature review, we provide a novel taxonomy for poisoning attacks, formalise its dimensions, and accordingly organise 30+ attacks described in the literature. Further, we review 40+ countermeasures to detect and/or prevent poisoning attacks, evaluating their effectiveness against specific types of attacks. This comprehensive survey should serve as a point of reference for protecting recommender systems against poisoning attacks. The article concludes with a discussion on open issues in the field and impactful directions for future research. A rich repository of resources associated with poisoning attacks is available at https://github.com/tamlhp/awesome-recsys-poisoning.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (176)
  1. [n. d.]. https://www.industryarc.com/Research/Recommendation-Engine-Market-Research-500995
  2. [n. d.]. http://news.bbc.co.uk/2/hi/entertainment/1368666.stm
  3. Behnoush Abdollahi and Olfa Nasraoui. 2018. Transparency in fair machine learning: the case of explainable recommender systems. In Human and machine learning. Springer, 21–35.
  4. A comparative analysis of memory-based and model-based collaborative filtering on the implementation of recommender system for E-commerce. In ICACSIS. 303–308.
  5. Generative adversarial network: An overview of theory and applications. International Journal of Information Management Data Insights 1, 1 (2021), 100004.
  6. Charu C Aggarwal et al. 2016. Recommender systems. Vol. 1.
  7. Quick and accurate attack detection in recommender systems through user attributes. In RecSys. 348–352.
  8. Bushra Alhijawi and Yousef Kilani. 2020. The recommender system: a survey. IJAIP 15, 3 (2020), 229–251.
  9. Deep learning in citation recommendation models survey. Expert Systems with Applications 162 (2020), 113790.
  10. A hybrid book recommender system based on table of contents (toc) and association rule mining. In INFOS. 68–74.
  11. An overview and evaluation of citation recommendation models. Scientometrics 126 (2021), 4083–4119.
  12. Emad Aliwa et al. 2021. Cyberattacks and countermeasures for in-vehicle networks. CSUR 54, 1 (2021), 1–37.
  13. Byzantine replication under attack. In DSN. 197–206.
  14. A study of defensive methods to protect visual recommendation against adversarial manipulation of images. In SIGIR.
  15. Machine learning-based book recommender system: a survey and new perspectives. IJIIDS 13, 2-4 (2020), 231–248.
  16. Mitigating poisoning attacks on machine learning models: A data provenance based approach. In AISec. 103–110.
  17. Simulating real profiles for shilling attacks: A generative approach. KBS 230 (2021), 107390.
  18. Robust defenses for cross-site request forgery. In CCS. 75–88.
  19. A clustering approach to unsupervised attack detection in collaborative recommender systems. In ICDATA. 1.
  20. Alper Bilge et al. 2014. A novel shilling attack detection method. Procedia Computer Science 31 (2014), 165–174.
  21. Paula Branco et al. 2016. A survey of predictive modeling on imbalanced domains. CSUR 49, 2 (2016), 1–50.
  22. Kenneth Bryan and Pádraig Cunningham. 2006. Bottom-up biclustering of expression data. In CIBCB. 1–8.
  23. Unsupervised retrieval of attack profiles in collaborative recommender systems. In RecSys. 155–162.
  24. Classification features for attack detection in collaborative recommender systems. In KDD. 542–547.
  25. Detecting profile injection attacks in collaborative recommender systems. In CEC/EEE). 23–23.
  26. Hongyun Cai and Fuzhi Zhang. 2019a. BS-SC: An Unsupervised Approach for Detecting Shilling Profiles in Collaborative Recommender Systems. IEEE Transactions on Knowledge and Data Engineering (2019).
  27. Hongyun Cai and Fuzhi Zhang. 2019b. Detecting shilling attacks in recommender systems based on analysis of user rating behavior. KBS 177 (2019), 22–43.
  28. Yuanfeng Cai and Dan Zhu. 2019. Trustworthy and profit: A new value-based neighbor selection method in recommender systems under shilling attacks. Decision Support Systems 124 (2019), 113112.
  29. Generative adversarial networks: A survey toward private and secure applications. CSUR 54, 6 (2021), 1–38.
  30. Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system. World Wide Web 16, 5-6 (2013), 729–748.
  31. Deep learning poison data attack detection. In ICTAI. 971–978.
  32. Example-based Explanations with Adversarial Attacks for Respiratory Sound Analysis. In Interspeech. 1–5.
  33. Huiyuan Chen and Jing Li. 2019. Data poisoning attacks on cross-domain recommendation. In CIKM. 2177–2180.
  34. Knowledge-enhanced Black-box Attacks for Recommendations. In KDD. 108–117.
  35. Data poisoning attacks on neighborhood-based recommender systems. Transactions on Emerging Telecommunications Technologies 32, 6 (2021), e3872.
  36. Preventing shilling attacks in online recommender systems. In WIDM. 67–74.
  37. Konstantina Christakopoulou and Arindam Banerjee. 2019. Adversarial attacks on an oblivious recommender. In RecSys. 322–330.
  38. β𝛽\betaitalic_βP: A novel approach to filter out malicious rating profiles from recommender systems. Decision Support Systems 55, 1 (2013), 314–325.
  39. Multivariate bernoulli distribution. Bernoulli 19, 4 (2013), 1465–1483.
  40. A survey on recommendation system. IJCA 160, 7 (2017).
  41. A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. CSUR 54, 2 (2021), 1–38.
  42. Zhou Dengwen. 2010. An edge-directed bicubic interpolation algorithm. In CISP, Vol. 3. 1186–1189.
  43. Deep MinCut: Learning Node Embeddings from Detecting Communities. Pattern Recognition (2022), 109126.
  44. M Evangelopoulou and CW Johnson. 2014. Attack visualisation for cyber-security situation awareness. (2014).
  45. A Survey on Data Poisoning Attacks and Defenses. In 2022 7th IEEE International Conference on Data Science in Cyberspace (DSC). IEEE, 48–55.
  46. Attacking Black-box Recommendations via Copying Cross-domain User Profiles. In ICDE. 1583–1594.
  47. Influence function based data poisoning attacks to top-n recommender systems. In WWW. 3019–3025.
  48. Poisoning attacks to graph-based recommender systems. In ACSAC. 381–392.
  49. Sam Fletcher et al. 2019. Decision tree classification with differential privacy: A survey. CSUR 52, 4 (2019), 1–33.
  50. Arik Friedman and Assaf Schuster. 2010. Data mining with differential privacy. In KDD. 493–502.
  51. A survey on concept drift adaptation. CSUR 46, 4 (2014), 1–37.
  52. Joseph Gardiner and Shishir Nagaraja. 2016. On the security of machine learning in malware c&c detection: A survey. CSUR 49, 3 (2016), 1–39.
  53. Seyed Mohammad Ghaffarian and Hamid Reza Shahriari. 2017. Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey. ACM Computing Surveys (CSUR) 50, 4 (2017), 1–36.
  54. Deep learning. MIT press.
  55. DA-GCN: A Domain-aware Attentive Graph Convolution Network for Shared-account Cross-domain Sequential Recommendation. arXiv preprint arXiv:2105.03300 (2021).
  56. A survey on knowledge graph-based recommender systems. IEEE Transactions on Knowledge and Data Engineering (2020).
  57. Jungkyu Han and Hayato Yamana. 2017. A survey on recommendation methods beyond accuracy. IEICE TRANSACTIONS on Information and Systems 100, 12 (2017), 2931–2944.
  58. Towards conditional adversarial training for predicting emotions from speech. In Proc. ICASSP. Calgary, Canada, 6822–6826.
  59. Yaojun Hao and Fuzhi Zhang. 2021. An unsupervised detection method for shilling attacks based on deep learning and community detection. Soft Computing 25, 1 (2021), 477–494.
  60. Detecting shilling attacks with automatic features from multiple views. Security and Communication Networks 2019 (2019).
  61. Targeted poisoning attacks on social recommender systems. In GLOBECOM. 1–6.
  62. Collaborative filtering for implicit feedback datasets. In ICDM. 263–272.
  63. Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021).
  64. Systematically understanding the cyber attack business: A survey. CSUR 51, 4 (2018), 1–36.
  65. A graph-based recommender system for digital library. In Proceedings of the 2nd ACM/IEEE-CS joint conference on Digital libraries. 65–73.
  66. Handling probabilistic integrity constraints in pay-as-you-go reconciliation of data models. Information Systems 83 (2019), 166–180.
  67. Network alignment with holistic embeddings. TKDE 35, 2 (2021), 1881–1894.
  68. PORE: Provably Robust Recommender Systems against Data Poisoning Attacks. arXiv preprint arXiv:2303.14601 (2023).
  69. Detection and mitigation of node replication attacks in wireless sensor networks: a survey. IJDSN 9, 5 (2013), 149023.
  70. Yehuda Koren et al. 2009. Matrix factorization techniques for recommender systems. Computer 42, 8 (2009), 30–37.
  71. Do you trust your recommendations? An exploration of security and privacy issues in recommender systems. In ETRICS. 14–29.
  72. Shyong K Lam and John Riedl. 2004. Shilling recommender systems for fun and profit. In WWW. 393–402.
  73. Data poisoning attacks on factorization-based collaborative filtering. In NIPS, Vol. 29. 1885–1893.
  74. Tutorial on Fairness of Machine Learning in Recommender Systems. In SIGIR. 2654–2657.
  75. Attacking recommender systems with augmented user profiles. In CIKM. 855–864.
  76. Shilling Black-Box Recommender Systems by Learning to Generate Fake User Profiles. TNNLS (2022).
  77. A Survey on Amazon Alexa Attack Surfaces. In CCNC. 1–7.
  78. Zhuoran Liu and Martha Larson. 2021. Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start. In WWW. 3590–3602.
  79. Browser protection against cross-site request forgery. In SecuCode. 3–10.
  80. A survey on bias and fairness in machine learning. CSUR 54, 6 (2021), 1–35.
  81. Lies and propaganda: detecting spam users in collaborative filtering. In IUI. 14–21.
  82. Robust collaborative filtering. In RecSys. 49–56.
  83. Bhaskar Mehta and Wolfgang Nejdl. 2008. Attack resistant collaborative filtering. In SIGIR. 75–82.
  84. Bhaskar Mehta and Wolfgang Nejdl. 2009. Unsupervised strategies for shilling detection and robust collaborative filtering. User Modeling and User-Adapted Interaction 19, 1 (2009), 65–97.
  85. Ensemble approaches for regression: A survey. CSUR 45, 1 (2012), 1–40.
  86. Your online interests: Pwned! a pollution attack against targeted advertising. In SIGSAC. 129–140.
  87. Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness. TOIT 7, 4 (2007), 23–es.
  88. Ruihui Mu. 2018. A survey of recommender systems based on deep learning. Ieee Access 6 (2018), 69009–69022.
  89. Tag-based paper retrieval: minimizing user effort with diversity awareness. In International Conference on Database Systems for Advanced Applications. 510–528.
  90. SMART: A tool for analyzing and reconciling schema matching networks. In ICDE. 1488–1491.
  91. Reconciling schema matching networks through crowdsourcing. EAI Endorsed Transactions on Collaborative Computing 1, 2 (2014), e2.
  92. Poisoning GNN-based recommender systems with generative surrogate-based attacks. ACM Transactions on Information Systems 41, 3 (2023), 1–24.
  93. Claire B Owen. 2008. Parameter estimation for the beta distribution. Brigham Young University.
  94. Promoting recommendations: An attack on collaborative filtering. In DEXA. 494–503.
  95. Sindhu Padakandla. 2021. A survey of reinforcement learning algorithms for dynamically varying environments. CSUR 54, 6 (2021), 1–25.
  96. Hierarchical reinforcement learning: A comprehensive survey. CSUR 54, 5 (2021), 1–35.
  97. Analysis and Performance Evaluation of Cosine Neighbourhood Recommender System. IAJIT 14, 5 (2017).
  98. A taxonomy and survey of attacks against machine learning. Computer Science Review 34 (2019), 100199.
  99. Recommender systems meeting security: From product recommendation to cyber-attack prediction. In EANN. 508–519.
  100. A survey on deep learning: Algorithms, techniques, and applications. CSUR 51, 5 (2018), 1–36.
  101. Generating and protecting against adversarial attacks for deep speech-based emotion recognition models. In Proc. ICASSP. Barcelona, Spain, 7184–7188.
  102. Enhancing transferability of black-box adversarial attacks via lifelong learning for speech emotion recognition models. In Proc. INTERSPEECH. Shanghai, China, 496–500.
  103. Fatemeh Rezaimehr and Chitra Dadkhah. 2021. A survey of attack detection approaches in collaborative filtering recommender systems. Artificial Intelligence Review 54, 3 (2021), 2011–2066.
  104. Introduction to recommender systems handbook. In Recommender systems handbook. 1–35.
  105. Poisoning Deep Learning based Recommender Model in Federated Learning Scenarios. arXiv preprint arXiv:2204.13594 (2022).
  106. Adversarial machine learning attacks and defense methods in the cyber security domain. CSUR 54, 5 (2021), 1–36.
  107. Atisha Sachan and Vineet Richariya. 2013. A survey on recommender systems based on collaborative filtering technique. IJIET 2, 2 (2013), 8–14.
  108. Ruslan Salakhutdinov and Andriy Mnih. 2008. Bayesian probabilistic matrix factorization using Markov chain Monte Carlo. In ICML. 880–887.
  109. Robustness of collaborative recommendation based on association rule mining. In RecSys. 105–112.
  110. Philip Sedgwick. 2012. Pearson’s correlation coefficient. Bmj 345 (2012).
  111. Guy Shani and Asela Gunawardana. 2011. Evaluating recommendation systems. In Recommender systems handbook. 257–297.
  112. Collaborative filtering beyond the user-item matrix: A survey of the state of the art and future challenges. CSUR 47, 1 (2014), 1–45.
  113. Mingdan Si and Qingshan Li. 2020. Shilling attacks against collaborative recommender systems: a review. Artificial Intelligence Review 53, 1 (2020), 291–319.
  114. Attacks on eBay.
  115. Salima Smiti and Makram Soui. 2020. Bankruptcy prediction using deep learning approach based on borderline SMOTE. Information Systems Frontiers 22, 5 (2020), 1067–1083.
  116. Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems. In ICDE. 157–168.
  117. Florian Strub et al. 2016. Hybrid recommender system based on autoencoders. In DLRS. 11–16.
  118. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation 23, 5 (2019), 828–841.
  119. Where to go next: Modeling long-and short-term user preferences for point-of-interest recommendation. In AAAI, Vol. 34. 214–221.
  120. Understanding shilling attacks and their detection traits: a comprehensive survey. IEEE Access 8 (2020), 171703–171715.
  121. A taxonomy and terminology of adversarial machine learning. NIST IR (2019).
  122. Portable graph-based rumour detection against multi-modal heterophily. Knowledge-Based Systems (Dec. 2023).
  123. Revisiting adversarially learned injection attacks against recommender systems. In RecSys. 318–327.
  124. Shirin Tavara. 2019. Parallel computing of support vector machines: a survey. CSUR 51, 6 (2019), 1–38.
  125. An evaluation of diversification techniques. In International Conference on Database and Expert Systems Applications. 215–231.
  126. Data poisoning attacks against differentially private recommender systems. In SIGIR. 1617–1620.
  127. Jun Wang and Qiang Tang. 2015. Recommender systems and their security concerns. (2015).
  128. Next point-of-interest recommendation on resource-constrained mobile devices. In WWW. 906–916.
  129. The security of machine learning in an adversarial setting: A survey. J. Parallel and Distrib. Comput. 130 (2019), 12–23.
  130. A comparative study on shilling detection methods for trustworthy recommendations. Journal of Systems Science and Systems Engineering 27, 4 (2018), 458–478.
  131. A comparative study of shilling attack detectors for recommender systems. In ICSSSM. 1–6.
  132. Defending recommender systems: detection of profile injection attacks. Service Oriented Computing and Applications 1, 3 (2007), 157–170.
  133. Triple Adversarial Learning for Influence based Poisoning Attack in Recommender Systems. In KDD. 1830–1840.
  134. Fight Fire with Fire: Towards Robust Recommender Systems via Adversarial Poisoning Training. In SIGIR. 1074–1083.
  135. FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling. arXiv preprint arXiv:2202.04975 (2022).
  136. Ready for emerging threats to recommender systems? A graph convolution-based generative shilling attack. Information Sciences 578 (2021), 683–701.
  137. HySAD: A semi-supervised hybrid shilling attack detector for trustworthy product recommendation. In KDD. 985–993.
  138. Poisoning attacks against knowledge graph-based recommendation systems using deep reinforcement learning. Neural Computing and Applications (2021), 1–19.
  139. Hui Xia et al. 2015. A novel item anomaly detection approach against shilling attacks in collaborative recommendation systems using the dynamic time interval segmentation technique. Information Sciences 306 (2015), 150–165.
  140. Situation assessment for air combat based on novel semi-supervised naive Bayes. Journal of Systems Engineering and Electronics 29, 4 (2018), 768–779.
  141. Yishu Xu and Fuzhi Zhang. 2019. Detecting shilling attacks in social recommender systems based on time series analysis and trust features. KBS 178 (2019), 25–47.
  142. Deep matrix factorization models for recommender systems.. In IJCAI, Vol. 17. 3203–3209.
  143. Fake Co-visitation Injection Attacks to Recommender Systems.. In NDSS.
  144. Estimating user behavior toward detecting anomalous ratings in rating systems. KBS 111 (2016), 144–158.
  145. Spotting anomalous ratings for rating systems by analyzing target users and items. Neurocomputing 240 (2017), 25–46.
  146. Identification of Malicious Injection Attacks in Dense Rating and Co-Visitation Behaviors. IEEE Transactions on Information Forensics and Security 16 (2020), 537–552.
  147. Re-scale AdaBoost for attack detection in collaborative filtering recommender systems. KBS 100 (2016), 74–88.
  148. Optimal stealthy linear attack on remote state estimation with side information. IEEE Systems Journal 16, 1 (2021), 1499–1507.
  149. UA-FedRec: Untargeted Attack on Federated News Recommendation. arXiv preprint arXiv:2202.06701 (2022).
  150. Anti-FakeU: Defending Shilling Attacks on Graph Neural Network based Recommender Model. In WWW. 938–948.
  151. Chao Yu et al. 2021a. Reinforcement learning in healthcare: A survey. CSUR 55, 1 (2021), 1–36.
  152. Socially-Aware Self-Supervised Tri-Training for Recommendation. arXiv preprint arXiv:2106.03569 (2021).
  153. Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction. In RecSys. 44–54.
  154. UD-HMM: An unsupervised method for shilling attack detection based on hidden Markov model and hierarchical clustering. KBS 148 (2018), 146–166.
  155. Fuzhi Zhang and Quanqiang Zhou. 2012. A Meta-learning-based Approach for Detecting Profile Injection Attacks in Collaborative Recommender Systems. J. Comput. 7, 1 (2012), 226–234.
  156. Fuzhi Zhang and Quanqiang Zhou. 2014. HHT–SVM: An online method for detecting profile injection attacks in collaborative recommender systems. KBS 65 (2014), 96–105.
  157. A survey of autoencoder-based recommender systems. Frontiers of Computer Science 14, 2 (2020), 430–450.
  158. Practical data poisoning attack against next-item recommendation. In WWW. 2458–2464.
  159. LOKI: A Practical Data Poisoning Attack Framework against Next Item Recommendations. IEEE Transactions on Knowledge and Data Engineering (2022).
  160. Data Poisoning Attack against Recommender System Using Incomplete and Perturbed Data. In KDD. 2154–2164.
  161. Panther: Fast top-k similarity search on large networks. In KDD. 1445–1454.
  162. Attack detection in time series for recommender systems. In KDD. 809–814.
  163. Deep learning based recommender system: A survey and new perspectives. ACM computing surveys (CSUR) 52, 1 (2019), 1–38.
  164. Pipattack: Poisoning federated recommender systems for manipulating item promotion. In WSDM. 1415–1423.
  165. Gcn-based user representation learning for unifying robust recommendation and fraudster detection. In SIGIR. 689–698.
  166. Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation. In IJCAI.
  167. Reverse Attack: Black-box Attacks on Collaborative Recommendation. In SIGSAC. 51–68.
  168. Leah Zhang-Kennedy and Sonia Chiasson. 2021. A systematic review of multimedia tools for cybersecurity awareness and education. CSUR 54, 1 (2021), 1–39.
  169. Eires: Efficient integration of remote data in event stream processing. In Proceedings of the 2021 International Conference on Management of Data. 2128–2141.
  170. Manipulating vulnerability: Poisoning attacks and countermeasures in federated cloud–edge–client learning for image classification. Knowledge-Based Systems 259 (2023), 110072.
  171. Quanqiang Zhou et al. 2020. Recommendation attack detection based on deep learning. JISA 52 (2020), 102493.
  172. Detection of abnormal profiles on group attacks in recommender systems. In SIGIR. 955–958.
  173. Attack detection in recommender systems based on target item analysis. In IJCNN. 332–339.
  174. Shilling attacks detection in recommender systems based on target item analysis. PloS one 10, 7 (2015), e0130968.
  175. Shilling attack detection for recommender systems based on credibility of group users and rating time series. PloS one 13, 5 (2018), e0196533.
  176. SVM-TIA a shilling attack detection method based on SVM and target item analysis in recommender systems. Neurocomputing 210 (2016), 197–205.
Citations (7)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets