Poisoning Attacks on Deep Learning-Based Recommender Systems

針對深度學習推薦系統的投毒攻擊

Student thesis: Doctoral Thesis

View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Awarding Institution
Supervisors/Advisors
  • Qian Wang (External person) (External Supervisor)
  • Cong WANG (Supervisor)
Award date25 Jun 2024

Abstract

In this era of information explosion, people are increasingly relying on recommender systems to quickly and accurately obtain the information they need. To effectively extract information from vast amounts of data, recommender systems mostly employ deep learning methods to construct models, exposing these models to various security threats. Poisoning attacks, which manipulate recommendation results by injecting fake users, are a major branch of these security threats. This thesis explores poisoning techniques in the context of deep learning-based recommender systems, expanding on three innovative research points: advancing poisoning attacks, discussing the threats and defenses against poisoning, and exploring the broad applications of poisoning techniques.

Firstly, in recommendations based on self-supervised learning (SSL), this thesis discovers a new attack surface. This thesis proposes SeqPoison, a poisoning attack targeting recommender systems based on SSL, which simultaneously achieves effectiveness, stealthiness, and low overhead. It highlights that while SSL, as a novel deep learning approach, can enhance recommendation performance, it also introduces new attack surfaces that are more advantageous to attackers. This attack targets only the pre-training stage of self-supervised learning, constructing surrogate models of this stage to enable attackers to implement attacks without the need for any API access or knowledge of model parameter details. The performance of SeqPoison is evaluated on four commercial datasets and two classic recommendation models, where the recommendation frequency of the target items is boosted hundreds to thousands of times with control over only 1% of fake users among real users.

Subsequently, this thesis explores the potential impact of poisoning attacks under extreme scenarios involving a small number of injected fake users. This thesis proposes ClusterPoison, a poisoning attack under the scenario of limited fake users, which serves as a widget that can combine with various poisoning attacks against deep learning-based recommender systems, aiming to maximize the impact of a minimal amount of fake users on the recommendation model. Exploring the performance of attacks in such extreme scenarios can enhance understanding of poisoning threats and thus call for more efforts in defending poisoning. This thesis evaluates ClusterPoison on two commercial datasets and combines it with two existing poisoning attacks, where injecting just one fake user among tens of thousands of real users can increase the recommendation frequency of the target item several times to a dozen times. After proposing the above attacks, this thesis briefly outlines several defense mechanisms from the perspectives of pre-processing and in-processing, with a discussion of whether these defense methods can mitigate the attacks presented in this thesis.

Finally, this thesis regards poisoning as a technique rather than an attack, exploring its utility in other domains. Given that poisoning attacks often decouple the generation of poisoning data from the target model, this paper inherits this advantage and proposes FairPoison, a solution that uses the idea of poisoning attacks to address fairness issues. This approach enhances the fairness of recommendation models by injecting a small number of fake users, indicating that the concept and techniques of poisoning attacks, besides posing harm to recommender systems, can also benefit them. FairPoison is entirely decoupled from the model and can simultaneously improve model fairness and recommendation accuracy. The performance of FairPoison is evaluated on two commercial datasets and two classic recommendation models, where injecting fake users accounting for 5% of real users results in approximately 10% improvement in model fairness and 40% improvement in recommendation accuracy.

By investigating various aspects of poisoning attacks against deep learning-based recommender systems, this thesis provides new insights into the field and offers valuable references for future studies.

    Research areas

  • Recommender system, Poisining attack, Limited fake users, Fairness