Evaluating Impact of User-Cluster Targeted Attacks in Matrix Factorisation Recommenders
Sulthana Shams, Douglas Leith
TL;DR
This paper addresses the problem of user-cluster targeted data poisoning in matrix factorisation–based recommender systems by injecting fake users to promote a chosen item within a target cluster. It compares two update regimes, derives analytical expressions for how the latent matrices $U$ and $V$ evolve under attack, and shows that updates to the item vector $V_{j^*}$ drive cross-cluster leakage more than updates to $U$. The study finds that items with few ratings in the target cluster are more susceptible and that leakage to non-target clusters depends on feature correlations; results are validated on MovieLens and Goodreads using synthetic data, demonstrating practical implications for RS robustness. The authors discuss defence strategies, such as augmenting true ratings, decoupling update frequencies, and monitoring shifts in item vectors, to mitigate targeted data poisoning risks.
Abstract
In practice, users of a Recommender System (RS) fall into a few clusters based on their preferences. In this work, we conduct a systematic study on user-cluster targeted data poisoning attacks on Matrix Factorisation (MF) based RS, where an adversary injects fake users with falsely crafted user-item feedback to promote an item to a specific user cluster. We analyse how user and item feature matrices change after data poisoning attacks and identify the factors that influence the effectiveness of the attack on these feature matrices. We demonstrate that the adversary can easily target specific user clusters with minimal effort and that some items are more susceptible to attacks than others. Our theoretical analysis has been validated by the experimental results obtained from two real-world datasets. Our observations from the study could serve as a motivating point to design a more robust RS.