TY - GEN
T1 - Attacking black-box recommendations via copying cross-domain user profiles
AU - Fan, Wenqi
AU - Derr, Tyler
AU - Zhao, Xiangyu
AU - Ma, Yao
AU - Liu, Hui
AU - Wang, Jianping
AU - Tang, Jiliang
AU - Li, Qing
N1 - Funding Information:
ACKNOWLEDGMENT The research described in this paper has been partly supported by an internal research fund from the Hong Kong Polytechnic University (project no. P0036200), the Hong Kong Research Grants Council (RGC) under the General Research Fund (project no. 11204919) and RIF project R5060-19. Tyler Derr, Xiangyu Zhao, Yao Ma and Jiliang Tang are supported by the National Science Foundation (NSF) under grant numbers IIS-1714741, IIS-1715940, IIS-1845081, IIS-1907704, IIS-1928278 and CNS-1815636.
Publisher Copyright:
© 2021 IEEE.
PY - 2021/4
Y1 - 2021/4
N2 - Recommender systems, which aim to suggest personalized lists of items for users, have drawn a lot of attention. In fact, many of these state-of-the-art recommender systems have been built on deep neural networks (DNNs). Recent studies have shown that these deep neural networks are vulnerable to attacks, such as data poisoning, which generate fake users to promote a selected set of items. Correspondingly, effective defense strategies have been developed to detect these generated users with fake profiles. Thus, new strategies of creating more 'realistic' user profiles to promote a set of items should be investigated to further understand the vulnerability of DNNs based recommender systems. In this work, we present a novel framework CopyAttack. It is a reinforcement learning based black-box attacking method that harnesses real users from a source domain by copying their profiles into the target domain with the goal of promoting a subset of items. CopyAttack is constructed to both efficiently and effectively learn policy gradient networks that first select, then further refine/craft user profiles from the source domain, and ultimately copy them into the target domain. CopyAttack's goal is to maximize the hit ratio of the targeted items in the Top-k recommendation list of the users in the target domain. We conducted experiments on two real-world datasets and empirically verified the effectiveness of the proposed framework. The implementation of CopyAttack is available at https://github.com/wenqifan03/CopyAttack.
AB - Recommender systems, which aim to suggest personalized lists of items for users, have drawn a lot of attention. In fact, many of these state-of-the-art recommender systems have been built on deep neural networks (DNNs). Recent studies have shown that these deep neural networks are vulnerable to attacks, such as data poisoning, which generate fake users to promote a selected set of items. Correspondingly, effective defense strategies have been developed to detect these generated users with fake profiles. Thus, new strategies of creating more 'realistic' user profiles to promote a set of items should be investigated to further understand the vulnerability of DNNs based recommender systems. In this work, we present a novel framework CopyAttack. It is a reinforcement learning based black-box attacking method that harnesses real users from a source domain by copying their profiles into the target domain with the goal of promoting a subset of items. CopyAttack is constructed to both efficiently and effectively learn policy gradient networks that first select, then further refine/craft user profiles from the source domain, and ultimately copy them into the target domain. CopyAttack's goal is to maximize the hit ratio of the targeted items in the Top-k recommendation list of the users in the target domain. We conducted experiments on two real-world datasets and empirically verified the effectiveness of the proposed framework. The implementation of CopyAttack is available at https://github.com/wenqifan03/CopyAttack.
KW - Adversarial Attacks
KW - Black-box Attacks
KW - Cross-Domain
KW - Data Poisoning Attacks
KW - Recommender Systems
UR - http://www.scopus.com/inward/record.url?scp=85110796113&partnerID=8YFLogxK
U2 - 10.1109/ICDE51399.2021.00140
DO - 10.1109/ICDE51399.2021.00140
M3 - Conference article published in proceeding or book
AN - SCOPUS:85110796113
T3 - Proceedings - International Conference on Data Engineering
SP - 1583
EP - 1594
BT - Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021
PB - IEEE Computer Society
T2 - 37th IEEE International Conference on Data Engineering, ICDE 2021
Y2 - 19 April 2021 through 22 April 2021
ER -