# Attacks on Recommender Systems

Recommender systems play a crucial role in helping users to find their interested information in various web services such as Amazon, YouTube, and Google News. Various recommender systems, ranging from neighborhood-based, association-rule-based, matrix-factorization-based, to deep learning based, have been developed and deployed in industry. Among them, deep learning based recommender systems become increasingly popular due to their superior performance.

Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role in guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits.

With the advancement of recommender systems, various techniques are employed to influence the output of recommender systems to promote or demote a particular product. Attacks are the inserting of bogus data into a recommendation system. Collaborative Filtering based Recommender Systems are the most sensitive systems to attacks in which malicious users insert fake profiles into the rating database in order to bias the system’s output (these types of attacks are known as profile injection or Shilling attacks). Purpose of the attacks can be different: to push(push attack)/decrease(nuke attack) some items’ ratings by manipulating the recommender system, manipulation of the “Internet opinion” or simply to sabotage the system.

The attacks technique is to create numerous fake accounts / profiles and issue high or low ratings to the “target item”.

The general description of the profile of a true user and fake user are characterized as 80% unrated items and 20% rated items for the “true” profile" , whereas “fake”" profile consists of 20% unrated items and 80% rated (target items + selected items + filler items). From above description of trusted and fake user profile it is clear that to attack a recommender system, attack profile need to be designed as statistically identical to genuine profile as possible.

## Attacker's goals

### Item promotion

Manipulate a recommender system such that the attacker-chosen target items are recommended to many users.

### Item demotion

a.k.a. nuke attack. 

### Target specific user group

Target user group is the group of users that an attack aims at.

### Ancillary effects

Ancillary effects (e.g., demoting competitors, bias the ratings of a special user groups on selected items) are also desired in the attack. Such intentions will manifest in choosing selected items.

## Attacker's knowledge

### Access to data

The attack capability increase if attacker already has access to the data like user-item interaction matrix.

### Access to the neural architecture

Attack capability increase if attacker has access to the neural architecture to the target recommender system.

## Attack types

### Data poisoning

a.k.a. fake data injection. Injects fake users with carefully crafted ratings to a recommender system. These fake data will be included in the training dataset of the target recommender system and then poisons the training process. In case of item promotion as a goal, these injected ratings would maximize the number of normal users to whom the target items are recommended. 

Recommendation engines are prone to performance alteration by malicious users that might be able to poison the training data with hand-engineered, and machine-learning optimized, fake user profiles (shilling profiles). An attacker's goal is to manipulate a recommender system such that the attacker-chosen target items are recommended to many users. To achieve this goal, the attack injects fake users with carefully crafted ratings to a recommender system.

According to whether data poisoning attacks are focused on a specific type of recommender system, we can divide them into two categories: algorithm-agnostic and algorithm-specific. The former (e.g., types of shilling attacks like random attacks and bandwagon attacks) does not consider the algorithm used by the recommender system and therefore often has limited effectiveness. For instance, random attacks just choose rated items at random from the whole item set for fake users, and bandwagon attacks tend to select certain items with high popularity in the dataset for fake users. The algorithm-specific data poisoning attacks are optimized to a specific type of recommender systems and have been developed for graph-based recommender systems, association-rule-based recommender systems, matrix-factorization-based recommender systems, and neighborhood-based recommender systems.

Data poisoning attacks pose severe threats to the trustworthiness of recommender systems and could manipulate Internet opinions. For instance, if an attacker manipulates a news recommender system such that a particular type of news are always recommended to users, then the attacker may be able to manipulate the users’ opinions.

### Profile pollution

Unlike the data poisoning attack, profile pollution attack is done at the testing time. It pollutes the historical behavior of normal users. It relies on cross-site request forgery (CSRF), and only applicable to item-to-item recommender systems.

### Image spoofing

In this attack, images of a category of low recommended products (e.g., socks) are perturbed to misclassify the deep neural classifier towards the class of more recommended products (e.g., running shoes) with human-level slight images alterations.

### Evasion vs poisoning attacks

<p><center><figure><img src='_images/US026046_1.png'><figcaption>A schematic representation of the distinction between evasion attacks and poisoning attacks.</figcaption></figure></center></p>

## Examples

### Item promotion

<p><center><img src='_images/US026046_2.png'></center></p>

An example of a simple promotion attack favoring the target item Item6.

### Item nuke

<p><center><img src='_images/US026046_3.png'></center></p>

An example of a simple nuke attack disfavoring the target item Item6.

### False reviews

Amazon products' reviews is distorted with thousands of fake ones. False reviews were helping unknown brands dominate searches for popular items. Hundreds of unverified five-star reviews were being posted on product pages in a single day. Many product pages also included positive reviews for completely different items.

<p><center><img src='_images/US026046_4.png'></center></p>

## Countermeasures

Attack Profiles created by traditional models are effective in promoting an item, but they are highly correlated and hence can be detected by the Recommender System easily.

<p><center><img src='_images/US026046_5.png'></center></p>

True Profiles have huge Variance but low Covariance and in case of Fake Profiles it is vice versa.

<p><center><img src='_images/US026046_6.png'></center></p>

True Profiles in Green and Fake Profiles in Red Detection done using PCA.

### Goal

Protect something (important to the recommender or its users)

- from someone
- who has goals
- and certain capabilities

For example, `influence limiter` threat model:

- protect recommender accuracy and neutrality
- from malicious users
- who want to push or kill products
- and create fake accounts

### Methods

To reduce this risk, various detection techniques have been proposed to detect such attacks, which use diverse features extracted from user profiles. Detection Techniques can be described as some descriptive statistics that can be used to capture some of the major characteristics that make an attacker’s profile look different from genuine user’s profile.

- Rating Deviation from Mean Agreement (RDMA) can identify attackers by analysing the profile’s average deviation per item or user.
- Weighted Deviation from Mean Agreement (WDMA) can help identify anomalies by placing a higher weight on rating deviations for sparse items.
- Length Variance (LengthVar) is used to capture how much the length of a given profile varies from average length in the dataset. It is particularly effective in detecting attacks with large filler sizes.
- Degree of Similarity with Top Neighbours (DegSim) is used to capture the average similarity of a profile’s k nearest neighbours.
- Increase profile injection costs (Captchas, Low‐cost manual insertion)
- Use statistical attack detection methods (detect groups of users who collaborate to push/nuke items, monitor development of ratings for an item: changes in average rating, in rating entrophy; use ML to detect fake profiles).


## Timeline

<p><center><img src='_images/US026046_7.png'></center></p>

## Traditional attack methods

- Random Attack: take random values for filler items, high/low ratings for target items.
- Average Attack: attack profiles are generated such that the rating for filler items is the mean or average rating for that item across all the users in the database.
- Bandwagon attack: profiles are generated such that besides giving high ratings to the target items, it also contains only high values for selected items and random values to some filler items .
- Segment Attack: the segment attack model is to make inserted bots more similar to the segment market users - to push the item within the relevant community.
- User Shifting: In these types of attacks we basically increment or decrement all ratings for a subset of items per attack profile by a constant amount so as to reduce the similarity between attack profiles.
- Mixed Attack: In Mixed Attack, attack is on the same target item but that attack is produced from different attack modules.
- Noise Injection: This type of attack is carried out by adding some noise to ratings according to a standard normal distribution multiplied by a constant, β, which is used to govern the amount of noise to be added.

```{tableofcontents}
```

## References

1. Profile Injection Attack Detection for Securing Collaborative Recommender Systems. [Chad Williams. 2006.](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.219.2864&rep=rep1&type=pdf)
2. Defending Recommender Systems: Detection of Profile Injection Attacks. [Chad A. Williams, Bamshad Mobasher, and Robin Burke. 2007.](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.122.8693&rep=rep1&type=pdf)
3. Detection of Profile Injection Attacks in Social Recommender Systems Using Outlier Analysis. [Anahita Davoudi and Mainak Chatterjee. 2017. IEEE.](http://eecs.ucf.edu/~anahita/08258235.pdf)
4. Profile Injection Attack Detection in Recommender System. [Ashish Kumar (2015) Profile Injection Attack Detection in Recommender System [Master Thesis]](https://gdeepak.com/thesisme/Thesis-Ashish.pdf)
5. Practical Data Poisoning Attack against Next-Item Recommendation. [Hengtong Zhang, Yaliang Li, Bolin Ding, Jing Gao. 2020. arXiv.](https://arxiv.org/abs/2004.03728)
6. Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start. [Zhuoran Liu, Martha Larson. 2020. arXiv.](https://arxiv.org/abs/2006.01888) [Zhuoran Liu (2021) AIP: Adversarial Item Promotion [Source code]](https://github.com/liuzrcc/AIP)
7. Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction. [Zhenrui Yue, Zhankui He, Huimin Zeng, Julian McAuley. 2021. arXiv.](https://arxiv.org/abs/2109.01165) [Zhenrui (2020) PyTorch Implementation of Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction [Source code]](https://github.com/yueeeeeeee/recsys-extraction-attack)
8. Membership Inference Attacks Against Recommender Systems. [Minxing Zhang, Zhaochun Ren, Zihan Wang, Pengjie Ren, Zhumin Chen, Pengfei Hu, Yang Zhang. 2021. arXiv.](https://arxiv.org/abs/2109.08045)
9. A Study of Defensive Methods to Protect Visual Recommendation Against Adversarial Manipulation of Images. [http://sisinflab.poliba.it/publications/2021/ADDMM21/SIGIR2021_A_Study_of_Defensive_Methods_to_Protect_Visual_Recommendation_Against_Adversarial_Manipulation_of_Images.pdf](http://sisinflab.poliba.it/publications/2021/ADDMM21/SIGIR2021_A_Study_of_Defensive_Methods_to_Protect_Visual_Recommendation_Against_Adversarial_Manipulation_of_Images.pdf). [https://github.com/sisinflab/Visual-Adversarial-Recommendation](https://github.com/sisinflab/Visual-Adversarial-Recommendation)
10. PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems. [Junshuai Song, Zhao Li, Zehong Hu, Yucheng Wu, Zhenpeng Li, Jian Li and Jun Gao. 2020. IEEE.](https://conferences.computer.org/icde/2020/pdfs/ICDE2020-5acyuqhpJ6L9P042wmjY1p/290300a157/290300a157.pdf)
11. Ready for Emerging Threats to Recommender Systems? A Graph Convolution-based Generative Shilling Attack. [Fan Wu, Min Gao, Junliang Yu, Zongwei Wang, Kecheng Liu, Xu Wange. 2021. arXiv.](https://arxiv.org/abs/2107.10457)
12. A Black-Box Attack Model for Visually-Aware Recommender Systems. [Rami Cohen, Oren Sar Shalom, Dietmar Jannach, Amihood Amir. 2020. arXiv.](https://arxiv.org/abs/2011.02701) [https://github.com/vis-rs-attack/code](https://github.com/vis-rs-attack/code)
13. Poisoning Attack against Estimating from Pairwise Comparisons. [Ke Ma, Qianqian Xu, Jinshan Zeng, Xiaochun Cao, and Qingming Huang. 2021. arXiv.](https://arxiv.org/abs/2107.01854v1) [alphaprime (2021) Poisoning Attack against Estimating from Pairwise Comparisons [Source code]](https://github.com/alphaprime/Poisonging_Attack_Pairwise_Comparison)
14. Assessing Perceptual and Recommendation Mutation of Adversarially-Poisoned Visual Recommenders. [Paper](http://sisinflab.poliba.it/publications/2020/ADMM20/CR_WDCS_NeurIPS2020_Assessing_Perceptual_and_Recommendation_Mutation_of_Adversarialli_Poisoned_Visual_Recommenders.pdf). [Code](https://github.com/sisinflab/adversarial-recommender-systems-survey/blob/master/Perceptual-Rec-Mutation-of-Adv-VRs)
15. Multi-Step Adversarial Perturbations on Recommender Systems Embeddings. [Paper](https://arxiv.org/abs/2010.01329). [https://anonymous.4open.science/r/9f27f909-93d5-4016-b01c-8976b8c14bc5/](https://www.notion.so/9f27f90993d54016b01c8976b8c14bc5)
16. Adversarial Training Towards Robust Multimedia Recommender System. [Paper](https://ieeexplore.ieee.org/document/8618394). [Code](https://github.com/duxy-me/AMR)
17. A survey on Adversarial Recommender Systems: from Attack/Defense strategies to Generative Adversarial Networks. [Yashar Deldjoo, Tommaso Di Noia, Felice Antonio Merra. 2021. arXiv.](https://arxiv.org/abs/2005.10322) [**https://github.com/sisinflab/adversarial-recommender-systems-survey**](https://github.com/sisinflab/adversarial-recommender-systems-survey)
18. A Complete List of All (arXiv) Adversarial Example Papers [🌐Link](https://nicholas.carlini.com/writing/2019/all-adversarial-example-papers.html)
19. Graph Adversarial Learning Literature [Link](https://github.com/safe-graph/graph-adversarial-learning-literature)
20. Awesome Graph Adversarial Learning [Link](https://github.com/gitgiter/Graph-Adversarial-Learning)
21. Awesome Graph Attack and Defense Papers [Link](https://github.com/ChandlerBang/awesome-graph-attack-papers)
22. Segment-Focused Shilling Attacks against Recommendation Algorithms in Binary Ratings-based Recommender Systems, *International Journal of Hybrid Information Technology*, [📝Paper](https://www.semanticscholar.org/paper/Segment-Focused-Shilling-Attacks-against-Algorithms-Zhang/5c7e96dcaf253f37904f91fdb6fdd6f486dba134)
23. Shilling attack models in recommender system, *International Conference on Inventive Computation Technologies (ICICT)*, [📝Paper](https://ieeexplore.ieee.org/document/7824865)
24. Graph Embedding for Recommendation against Attribute Inference Attacks, *WWW*, [📝Paper](https://arxiv.org/pdf/2101.12549.pdf)
25. Understanding the Effects of Adversarial Personalized Ranking Optimization Method on Recommendation Quality, *Arxiv*, 📝[Paper](https://arxiv.org/abs/2107.13876)
26. GCN-Based User Representation Learning for Unifying Robust Recommendation and Fraudster Detection, *Arxiv*, [📝Paper](https://arxiv.org/abs/2005.10150)
27. On Detecting Data Pollution Attacks On Recommender Systems Using Sequential GANs, *ICML*, [📝Paper](https://arxiv.org/abs/2012.02509)
28. A Robust Hierarchical Graph Convolutional Network Model for Collaborative Filtering, *Arxiv*, [📝Paper](https://arxiv.org/abs/2004.14734)
29. Adversarial Collaborative Auto-encoder for Top-N Recommendation, *Arxiv*, [📝Paper](https://arxiv.org/abs/1808.05361)
30. Adversarial Attacks and Detection on Reinforcement Learning-Based Interactive Recommender Systems, *Arxiv*, [📝Paper](https://arxiv.org/abs/2006.07934)
31. Adversarial Learning to Compare: Self-Attentive Prospective Customer Recommendation in Location based Social Networks, *WSDM*, [📝Paper](https://dl.acm.org/doi/abs/10.1145/3336191.3371841)
32. Certifiable Robustness to Discrete Adversarial Perturbations for Factorization Machines, *SIGIR*, [📝Paper](http://jiyang3.web.engr.illinois.edu/files/fm-rt.pdf)
33. Directional Adversarial Training for Recommender Systems, *ECAI*, [📝Paper](http://ecai2020.eu/papers/300_paper.pdf)
34. Shilling Attack Detection Scheme in Collaborative Filtering Recommendation System Based on Recurrent Neural Network, *Future of Information and Communication Conference*, [📝Paper](https://link.springer.com/chapter/10.1007/978-3-030-39445-5_46)
35. Learning Product Rankings Robust to Fake Users， *Arxiv*, [📝Paper](https://arxiv.org/abs/2009.05138)
36. Privacy-Aware Recommendation with Private-Attribute Protection using Adversarial Learning, *WSDM*, [📝Paper](https://arxiv.org/abs/1911.09872)
37. Quick and accurate attack detection in recommender systems through user attributes, *RecSys*, [📝Paper](https://dl.acm.org/doi/10.1145/3298689.3347050)
38. Global and Local Differential Privacy for Collaborative Bandits, *RecSys*, [📝Paper](https://dl.acm.org/doi/pdf/10.1145/3383313.3412254)
39. Towards Safety and Sustainability: Designing Local Recommendations for Post-pandemic World, *RecSys*, [📝Paper](https://dl.acm.org/doi/pdf/10.1145/3383313.3412251)
40. GCN-Based User Representation Learning for Unifying Robust Recommendation and Fraudster Detection, *RecSys*, [📝Paper](https://dl.acm.org/doi/abs/10.1145/3397271.3401165)
41. Adversarial Training Towards Robust Multimedia Recommender System, *TKDE*, [📝Paper](https://graphreason.github.io/papers/35.pdf), [Code](https://github.com/duxy-me/AMR)
42. Adversarial Collaborative Neural Network for Robust Recommendation, *SIGIR*, [📝Paper](https://www.researchgate.net/publication/332861957_Adversarial_Collaborative_Neural_Network_for_Robust_Recommendation)
43. Adversarial Mahalanobis Distance-based Attentive Song Recommender for Automatic Playlist Continuation, *SIGIR*, [📝Paper](http://web.cs.wpi.edu/~kmlee/pubs/tran19sigir.pdf), [Code](https://github.com/thanhdtran/MASR)
44. Adversarial tensor factorization for context-aware recommendation, *RecSys*, [📝Paper](https://dl.acm.org/doi/10.1145/3298689.3346987), [Code]
45. Adversarial Training-Based Mean Bayesian Personalized Ranking for Recommender System, *IEEE Access*, [📝Paper](https://ieeexplore.ieee.org/document/8946325)
46. Securing the Deep Fraud Detector in Large-Scale E-Commerce Platform via Adversarial Machine Learning Approach，*WWW*, [📝Paper](https://www.ntu.edu.sg/home/boan/papers/WWW19.pdf)
47. Shilling Attack Detection in Recommender System Using PCA and SVM, *Emerging technologies in data mining and information security*, [📝Paper](https://link.springer.com/chapter/10.1007/978-981-13-1498-8_55)
48. Adversarial Personalized Ranking for Recommendation, *SIGIR*, [📝Paper](https://dl.acm.org/citation.cfm?id=3209981), [Code](https://github.com/hexiangnan/adversarial_personalized_ranking)
49. A shilling attack detector based on convolutional neural network for collaborative recommender system in social aware network, *The Computer Journal*, [📝Paper](https://academic.oup.com/comjnl/article-abstract/61/7/949/4835634)
50. Adversarial Sampling and Training for Semi-Supervised Information Retrieval, *WWW*, [📝Paper](https://arxiv.org/abs/1506.05752)
51. Enhancing the Robustness of Neural Collaborative Filtering Systems Under Malicious Attacks, *IEEE Transactions on Multimedia*, [📝Paper](https://ieeexplore.ieee.org/document/8576563)
52. An Obfuscated Attack Detection Approach for Collaborative Recommender Systems, *Journal of computing and information technology*, [📝Paper](https://hrcak.srce.hr/203982)
53. Detecting Abnormal Profiles in Collaborative Filtering Recommender Systems, *Journal of Intelligent Information Systems*, [📝Paper](https://link.springer.com/article/10.1007/s10844-016-0424-5)
54. Detection of Proﬁle Injection Attacks in Social Recommender Systems Using Outlier Analysis, *IEEE Big Data*, [📝Paper](http://www.cs.ucf.edu/~anahita/08258235.pdf)
55. Prevention of shilling attack in recommender systems using discrete wavelet transform and support vector machine, *Eighth International Conference on Advanced Computing (ICoAC)*, [📝Paper](https://ieeexplore.ieee.org/document/7951753)
56. Discovering shilling groups in a real e-commerce platform, *Online Information Review*, [📝Paper](https://www.emerald.com/insight/content/doi/10.1108/OIR-03-2015-0073/full/html)
57. Shilling attack detection in collaborative filtering recommender system by PCA detection and perturbation, *International Conference on Wavelet Analysis and Pattern Recognition (ICWAPR)*, [📝Paper](https://ieeexplore.ieee.org/document/7731644)
58. Re-scale AdaBoost for attack detection in collaborative filtering recommender systems, *KBS*, [📝Paper](https://www.sciencedirect.com/science/article/pii/S0950705116000861)
59. SVM-TIA a shilling attack detection method based on SVM and target item analysis in recommender systems, *Neurocomputing*, [📝Paper](https://www.sciencedirect.com/science/article/abs/pii/S0925231216306038)
60. Adversarial Machine Learning in Recommender Systems: State of the art and Challenges, *Arxiv2020*, [📝Paper](https://arxiv.org/abs/2005.10322)
61. A Survey of Adversarial Learning on Graphs, *Arxiv2020*, [📝Paper](https://arxiv.org/abs/2003.05730)
62. Adversarial Attacks and Defenses on Graphs: A Review and Empirical Study, *Arxiv2020*, [📝Paper](https://arxiv.org/abs/2003.00653)
63. Shilling attacks against collaborative recommender systems: a review, *Artificial Intelligence Review*, [📝Paper](https://link.springer.com/article/10.1007/s10462-018-9655-x)
64. Adversarial Attacks and Defenses in Images, Graphs and Text: A Review, *Arxiv2019*, [📝Paper](https://arxiv.org/abs/1909.08072)
65. A Survey of Attacks in Collaborative Recommender Systems, *Journal of Computational and Theoretical Nanoscience 2019*, [📝Paper](https://www.ingentaconnect.com/content/asp/jctn/2019/00000016/f0020005/art00029)
66. Adversarial Attack and Defense on Graph Data: A Survey, *Arxiv2018*, [📝Paper](https://arxiv.org/abs/1812.10528)
67. Adversarial Machine Learning: The Case of Recommendation Systems, *IEEE 19th International Workshop on Signal Processing Advances in Wireless Communications (SPAWC)*, [📝Paper](https://ieeexplore.ieee.org/abstract/document/8445767)
68. Recommender Systems: Attack Types and Strategies, *AAAI*2005, 📝[Paper](https://www.aaai.org/Papers/AAAI/2005/AAAI05-053.pdf)
69. A Review of Attacks and Its Detection Attributes on Collaborative Recommender Systems, *IJARCS2017*, 📝[Paper](http://www.ijarcs.info/index.php/Ijarcs/article/download/4550/4100)