A Survey of Poisoning Attacks and Countermeasures in Recommender Systems
A repository of poison attacks against recommender systems, as well as their countermeasures. This repository is associated with our systematic review, entitled Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures.
-
Existing Surveys
-
Taxonomy
-
Poison Attacks
-
Model-agnostic
-
Model-intrinsic
-
Countermeasures
-
Supervised
-
Semi Supervised
-
Unsupervised
-
Datasets
A sortable version is available here: https://awesome-recsys-poisoning.github.io/
🔖 News!!!
📌 We are actively tracking the latest research and welcome contributions to our repository and survey paper. If your studies are relevant, please feel free to create an issue or a pull request.
📰 2024-06-20: Our paper Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures has been accepted by ACM Computing Surveys (CSUR) (IF 16.6, Top 2%, CORE A*) in 2024.
Citation
If you find this work helpful in your research, welcome to cite the paper and give a ⭐.
Please read and cite our paper:
Nguyen, T.T., Nguyen, Q.V.H., Nguyen, T.T., Huynh, T.T., Nguyen, T.T., Weidlich, M. and Yin, H., 2024. Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures. arXiv preprint arXiv:2404.14942.
@article{nguyen2024manipulating,
title={Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures},
author={Nguyen, Thanh Toan and Nguyen, Quoc Viet Hung and Nguyen, Thanh Tam and Huynh, Thanh Trung and Nguyen, Thanh Thi and Weidlich, Matthias and Yin, Hongzhi},
journal={arXiv preprint arXiv:2404.14942},
year={2024}
}
Existing Surveys
Taxonomy
Poison Attacks
Poisoning attacks are the process of tampering with the training data of a machine learning (ML) model in order to corrupt its availability and integrity. Below figure presents the typical process of a poisoning attack compared to the normal learning process. In the latter case, an ML model is trained based on data, which is subsequently used to derive a
recommendation. As such, the quality of the ML model depends on the quality of the data used for training. In a poisoning attack, data is injected into the training process, and hence the model, to produce unintended or harmful conclusions.
| Paper |
Venue |
Year |
Type |
Data |
Code |
| Poisoning GNN-based recommender systems with generative surrogate-based attacks |
ACM TOIS |
2023 |
Model-intrinsic |
FR, ML, AMCP, LF |
- |
| Shilling Black-Box Recommender Systems by Learning to Generate Fake User Profiles |
IEEE Trans. Neural Netw. Learn. Syst |
2022 |
Model-agnostic |
ML, FT, YE, AAT |
- |
| Knowledge enhanced Black-box Attacks for Recommendations |
KDD |
2022 |
Model-agnostic |
ML, BC, LA |
- |
| LOKI: A Practical Data Poisoning Attack Frameworkagainst Next Item Recommendations |
TKDE |
2022 |
Model-agnostic |
ABT, St,GOW |
- |
| Pipattack: Poisoning federated recommender systems for manipulating item promotion |
WSDM |
2022 |
Model-intrinsic |
ML, AMCP |
- |
| Poisoning Deep Learning based Recommender Model in Federated Learning Scenarios |
IJCAI |
2022 |
Model-intrinsic |
ML, ADM |
Python |
| FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling |
Arxiv |
2022 |
Model-intrinsic |
ML, ABT |
Python |
| UA-FedRec: Untargeted Attack on Federated News Recommendation |
Arxiv |
2022 |
Model-intrinsic |
MIND, Feeds |
Python |
| Triple Adversarial Learning for Influence based Poisoning Attack in Recommender Systems |
KDD |
2021 |
Model-agnostic |
ML, FT |
Python |
| Reverse Attack: Black-box Attacks on Collaborative Recommendation |
CSS |
2021 |
Model-agnostic |
ML, NF, AMB & ADM, TW, G+, CIT |
- |
| Attacking Black-box Recommendations via Copying Cross-domain User Profiles |
ICDE |
2021 |
Model-agnostic |
ML, NF |
- |
| Simulating real profiles for shilling attacks: A generative approach |
KBS |
2021 |
Model-agnostic |
ML |
- |
| Ready for emerging threats to recommender systems? A graph convolution-based generative shilling attack |
IS |
2021 |
Model-agnostic |
DB, CI |
Python |
| Data poisoning attacks on neighborhoodbased recommender systems |
ETT |
2021 |
Model-intrinsic |
FT, ML, AMV |
- |
| Data Poisoning Attack against Recommender System Using Incomplete and Perturbed Data |
KDD |
2021 |
Model-intrinsic |
ML, AIV |
- |
| Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction |
RecSys |
2021 |
Model-intrinsic |
ML,St, ABT |
Python |
| Poisoning attacks against knowledge graph-based recommendation systems using deep reinforcement learning |
Neural. Comput. Appl. |
2021 |
Model-intrinsic |
ML, FTr |
- |
| Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start |
WWW |
2021 |
Model-intrinsic |
AMMN, TC |
Python |
| Data poisoning attacks to deep learning based recommender systems |
arXiv |
2021 |
Model-intrinsic |
ML, LA |
- |
| Practical data poisoning attack against next-item recommendation |
WWW |
2020 |
Model-intrinsic |
ABT |
- |
| Influence function based data poisoning attacks to top-n recommender systems |
WWW |
2020 |
Model-intrinsic |
YE, ADM |
- |
| Attacking recommender systems with augmented user profiles |
CIKM |
2020 |
Model-agnostic |
ML, FT, AAT |
- |
| Poisonrec: an adaptive data poisoning framework for attacking black-box recommender systems |
ICDE |
2020 |
Model-agnostic |
St, AMCP, ML |
- |
| Revisiting adversarially learned injection attacks against recommender systems |
RecSys |
2020 |
Model-agnostic |
GOW |
Python |
| Adversarial attacks on an oblivious recommender |
RecSys |
2019 |
Model-intrinsic |
ML |
- |
| Targeted poisoning attacks on social recommender systems |
GLOBECOM |
2019 |
Model-intrinsic |
FT |
- |
| Data poisoning attacks on cross-domain recommendation |
CIKM |
2019 |
Model-intrinsic |
NF, ML |
- |
| Poisoning attacks to graph-based recommender systems |
ACSAC |
2018 |
Model-intrinsic |
ML, AIV |
- |
| Fake Co-visitation Injection Attacks to Recommender Systems |
NDSS |
2017 |
Model-intrinsic |
YT, eB, AMV, YE, LI |
- |
| Data poisoning attacks on factorization-based collaborative filtering |
NIPS |
2016 |
Model-intrinsic |
ML |
Python |
| Shilling recommender systems for fun and profit |
WWW |
2004 |
Model-agnostic |
ML |
|
Countermeasures
In this section, we review detection methods in more detail, starting with supervised methods, before turning to semi-supervised methods and unsupervised methods
| Paper |
Venue |
Year |
Type |
Data |
Code |
| Anti-FakeU: Defending Shilling Attacks on Graph Neural Network based Recommender Model |
WWW |
2023 |
UnSupervised |
GOW, Yelp |
- |
| An unsupervised detection method for shilling attacks based on deep learning and community detection |
Soft Comput. |
2021 |
UnSupervised |
NF, AMV |
- |
| Identification of Malicious Injection Attacks in Dense Rating and Co-Visitation Behaviors |
TIFS |
2020 |
UnSupervised |
ML, AMB, LT, Trip |
- |
| Recommendation attack detection based on deep learning |
JISA |
2020 |
Supervised |
ML |
- |
| Detecting shilling attacks with automatic features from multiple views |
Secur. Commun. Netw. |
2019 |
Supervised |
NF, ML, AMV |
- |
| Detecting shilling attacks in social recommender systems based on time series analysis and trust features |
KBS |
2019 |
Supervised |
CI, EP |
- |
| BS-SC: An Unsupervised Approach for Detecting Shilling Profiles in Collaborative Recommender Systems |
TKDE |
2019 |
UnSupervised |
SYN, AMP |
- |
| Detecting shilling attacks in recommender systems based on analysis of user rating behavior |
KBS |
2019 |
UnSupervised |
NF, ML, AMP |
- |
| Trustworthy and profit: A new value-based neighbor selection method in recommender systems under shilling attacks |
DSS |
2019 |
UnSupervised |
BC, AMB |
- |
| Quick and accurate attack detection in recommender systems through user attributes |
RecSys |
2019 |
UnSupervised |
ML |
- |
| UD-HMM: An unsupervised method for shilling attack detection based on hidden Markov model and hierarchical clustering |
KBS |
2018 |
UnSupervised |
ML, NF, AMP |
- |
| Shilling attack detection for recommender systems based on credibility of group users and rating time series |
Plos One |
2018 |
UnSupervised |
ML |
- |
| Spotting anomalous ratings for rating systems by analyzing target users and items |
Neurocomputing |
2017 |
UnSupervised |
ML, AMP |
- |
| Estimating user behavior toward detecting anomalous ratings in rating systems |
KBS |
2016 |
UnSupervised |
ML |
- |
| SVM-TIA a shilling attack detection method based on SVM and target item analysis in recommender systems |
J. Neucom. |
2016 |
Supervised |
ML |
- |
| Re-scale AdaBoost for attack detection in collaborative filtering recommender systems |
KBS |
2016 |
Supervised |
ML |
- |
| Catch the black sheep: unified framework for shilling attack detection based on fraudulent action propagation |
IJCAI |
2015 |
UnSupervised |
AMV |
- |
| Shilling attacks detection in recommender systems based on target item analysis |
Plos One |
2015 |
UnSupervised |
ML, NF, EM |
- |
| A novel item anomaly detection approach against shilling attacks in collaborative recommendation systems using the dynamic time interval segmentation technique |
IS |
2015 |
UnSupervised |
ML |
- |
| A novel shilling attack detection method |
Procedia Comput. Sci. |
2014 |
UnSupervised |
ML |
- |
| Detection of abnormal profiles on group attacks in recommender systems |
SIGIR |
2014 |
UnSupervised |
NF, ML, EM |
- |
| HHT–SVM: An online method for detecting profile injection attacks in collaborative recommender systems |
KBS |
2014 |
Supervised |
ML |
- |
| Shilling attack detection utilizing semi-supervised learning method for collaborative recommender system |
WWW |
2013 |
Semi Supervised |
ML |
- |
| 𝛽P: A novel approach to filter out malicious rating profiles from recommender systems |
DSS |
2013 |
UnSupervised |
ML |
- |
| A Meta-learning-based Approach for Detecting Profile Injection Attacks in Collaborative Recommender Systems |
J. Comput. |
2012 |
Supervised |
ML |
- |
| HySAD: A semi-supervised hybrid shilling attack detector for trustworthy product recommendation |
KDD |
2012 |
Semi Supervised |
NF, ML |
- |
| A clustering approach to unsupervised attack detection in collaborative recommender systems |
ICDATA |
2011 |
UnSupervised |
ML |
- |
| Unsupervised strategies for shilling detection and robust collaborative filtering |
User Model. User-Adapt. Interact. |
2009 |
UnSupervised |
ML |
- |
| Unsupervised retrieval of attack profiles in collaborative recommender systems |
RecSys |
2008 |
UnSupervised |
ML |
- |
| Lies and propaganda: detecting spam users in collaborative filtering |
IUI |
2007 |
UnSupervised |
ML |
- |
| Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness |
TOIT |
2007 |
Supervised |
ML |
- |
| Classification features for attack detection in collaborative recommender systems |
KDD |
2006 |
Supervised |
ML |
- |
| Detecting profile injection attacks in collaborative recommender systems |
CEC-EEE |
2006 |
Supervised |
ML |
- |
| Attack detection in time series for recommender systems |
KDD |
2006 |
UnSupervised |
ML |
- |
| Preventing shilling attacks in online recommender systems |
WIDM |
2005 |
Supervised |
ML |
- |
Datasets
| Dataset |
Name |
| AAT |
Amazon Automotive |
| ABT |
Amazon Beauty |
| ADM |
Amazon Digital Music |
| AIV |
Amazon Instant Video |
| AMB |
Amazon Book |
| AMMN |
Amazon Men |
| AMV |
Amazon Movie |
| AMCP |
Amazon Cell-phone |
| AMP |
Amazon Product |
| BC |
Book-Crossing |
| CI |
Ciao |
| CIT |
Citation Network |
| DB |
Douban |
| eB |
eBay |
| EM |
Eachmovie |
| EP |
Epinions |
| Feeds |
Microsoft news App |
| FR |
FRappe - Mobile App Recommendations |
| FT |
Film Trust |
| Ftr |
Fund Transactions |
| G+ |
Google+ |
| GOW |
Gowalla |
| MIND |
Microsoft News |
| LA |
Last.fm |
| LI |
Linkedin |
| LT |
LibraryThing |
| ML |
MovieLens |
| NF |
Netflix |
| St |
Steam |
| TC |
Tradesy |
| Trip |
TripAdvisor |
| TW |
Twitter [Code] |
| YE |
Yelp |
| YT |
YouTube |
| SYNC |
Synthetic datasets |
Disclaimer
Feel free to contact us if you have any queries or exciting news. In addition, we welcome all researchers to contribute to this repository and further contribute to the knowledge of this field.
If you have some other related references, please feel free to create a Github issue with the paper information. We will gladly update the repos according to your suggestions. (You can also create pull requests, but it might take some time for us to do the merge)
awesome-recsys-poisoning copied to clipboard
tamlhp
tamlhp