Adversarial atacks on an oblivious recommender

Konstantina Christakopoulou; Arindam Banerjee

doi:10.1145/3298689.3347031

Adversarial atacks on an oblivious recommender

Konstantina Christakopoulou, Arindam Banerjee

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

43 Scopus citations

Abstract

Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.

Original language	English (US)
Title of host publication	RecSys 2019 - 13th ACM Conference on Recommender Systems
Publisher	Association for Computing Machinery, Inc
Pages	322-330
Number of pages	9
ISBN (Electronic)	9781450362436
DOIs	https://doi.org/10.1145/3298689.3347031
State	Published - Sep 10 2019
Event	13th ACM Conference on Recommender Systems, RecSys 2019 - Copenhagen, Denmark Duration: Sep 16 2019 → Sep 20 2019

Publication series

Name	RecSys 2019 - 13th ACM Conference on Recommender Systems

Conference

Conference	13th ACM Conference on Recommender Systems, RecSys 2019
Country/Territory	Denmark
City	Copenhagen
Period	9/16/19 → 9/20/19

Bibliographical note

Funding Information:
The research was supported by NSF grants IIS-1563950, IIS-1447566, IIS-1447574, IIS-1422557, CCF-1451986, CNS-1314560, IIS-0953274, IIS-1029711, NASA grant NNX12AQ39A, and gifts from Adobe, IBM, and Yahoo.

Publisher Copyright:
© 2019 Association for Computing Machinery.

Keywords

Learned Adversarial Attacks
Recommender Systems

Publisher link

10.1145/3298689.3347031

Find It

Find It at U of M Libraries

Cite this

Christakopoulou, K & Banerjee, A 2019, Adversarial atacks on an oblivious recommender. in RecSys 2019 - 13th ACM Conference on Recommender Systems. RecSys 2019 - 13th ACM Conference on Recommender Systems, Association for Computing Machinery, Inc, pp. 322-330, 13th ACM Conference on Recommender Systems, RecSys 2019, Copenhagen, Denmark, 9/16/19. https://doi.org/10.1145/3298689.3347031

@inproceedings{3c301dc9aaaa40eb8bfc53bf58e7e58c,

title = "Adversarial atacks on an oblivious recommender",

abstract = "Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.",

keywords = "Learned Adversarial Attacks, Recommender Systems",

author = "Konstantina Christakopoulou and Arindam Banerjee",

note = "Funding Information: The research was supported by NSF grants IIS-1563950, IIS-1447566, IIS-1447574, IIS-1422557, CCF-1451986, CNS-1314560, IIS-0953274, IIS-1029711, NASA grant NNX12AQ39A, and gifts from Adobe, IBM, and Yahoo. Publisher Copyright: {\textcopyright} 2019 Association for Computing Machinery.; 13th ACM Conference on Recommender Systems, RecSys 2019 ; Conference date: 16-09-2019 Through 20-09-2019",

year = "2019",

month = sep,

day = "10",

doi = "10.1145/3298689.3347031",

language = "English (US)",

series = "RecSys 2019 - 13th ACM Conference on Recommender Systems",

publisher = "Association for Computing Machinery, Inc",

pages = "322--330",

booktitle = "RecSys 2019 - 13th ACM Conference on Recommender Systems",

}

TY - GEN

T1 - Adversarial atacks on an oblivious recommender

AU - Christakopoulou, Konstantina

AU - Banerjee, Arindam

N1 - Funding Information: The research was supported by NSF grants IIS-1563950, IIS-1447566, IIS-1447574, IIS-1422557, CCF-1451986, CNS-1314560, IIS-0953274, IIS-1029711, NASA grant NNX12AQ39A, and gifts from Adobe, IBM, and Yahoo. Publisher Copyright: © 2019 Association for Computing Machinery.

PY - 2019/9/10

Y1 - 2019/9/10

N2 - Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.

AB - Can machine learning models be easily fooled? Despite the recent surge of interest in learned adversarial attacks in other domains, in the context of recommendation systems this question has mainly been answered using hand-engineered fake user profles. This paper attempts to reduce this gap. We provide a formulation for learning to attack a recommender as a repeated general-sum game between two players, i.e., an adversary and a recommender oblivious to the adversary's existence. We consider the challenging case of poisoning attacks, which focus on the training phase of the recommender model. We generate adversarial user profles targeting subsets of users or items, or generally the top-K recommendation quality. Moreover, we ensure that the adversarial user profles remain unnoticeable by preserving proximity of the real user rating/interaction distribution to the adversarial fake user distribution. To cope with the challenge of the adversary not having access to the gradient of the recommender's objective with respect to the fake user profles, we provide a non-trivial algorithm building upon zero-order optimization techniques. We ofer a wide range of experiments, instantiating the proposed method for the case of the classic popular approach of a low-rank recommender, and illustrating the extent of the recommender's vulnerability to a variety of adversarial intents. These results can serve as a motivating point for more research into recommender defense strategies against machine learned attacks.

KW - Learned Adversarial Attacks

KW - Recommender Systems

UR - http://www.scopus.com/inward/record.url?scp=85073369280&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85073369280&partnerID=8YFLogxK

U2 - 10.1145/3298689.3347031

DO - 10.1145/3298689.3347031

M3 - Conference contribution

AN - SCOPUS:85073369280

T3 - RecSys 2019 - 13th ACM Conference on Recommender Systems

SP - 322

EP - 330

BT - RecSys 2019 - 13th ACM Conference on Recommender Systems

PB - Association for Computing Machinery, Inc

T2 - 13th ACM Conference on Recommender Systems, RecSys 2019

Y2 - 16 September 2019 through 20 September 2019

ER -

Adversarial atacks on an oblivious recommender

Abstract

Publication series

Conference

Bibliographical note

Keywords

Publisher link

Find It

Other files and links

Fingerprint

Cite this