Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.
|Original language||English (US)|
|Title of host publication||RecSys 2019 - 13th ACM Conference on Recommender Systems|
|Publisher||Association for Computing Machinery, Inc|
|Number of pages||9|
|State||Published - Sep 10 2019|
|Event||13th ACM Conference on Recommender Systems, RecSys 2019 - Copenhagen, Denmark|
Duration: Sep 16 2019 → Sep 20 2019
|Name||RecSys 2019 - 13th ACM Conference on Recommender Systems|
|Conference||13th ACM Conference on Recommender Systems, RecSys 2019|
|Period||9/16/19 → 9/20/19|
Bibliographical noteFunding Information:
The research was supported by NSF grants IIS-1563950, IIS-1447566, IIS-1447574, IIS-1422557, CCF-1451986, CNS-1314560, IIS-0953274, IIS-1029711, NASA grant NNX12AQ39A, and gifts from Adobe, IBM, and Yahoo.
© 2019 Association for Computing Machinery.
- Learned Adversarial Attacks
- Recommender Systems