Multi-agent Attacks for Black-box Social Recommendations

TL;DR

This work addresses the vulnerability of Graph Neural Network–based social recommender systems to untargeted black-box attacks. It introduces MultiAttack, a decentralized multi-agent reinforcement learning framework that coordinates cross-community social connections and cold-start item profiles to degrade overall recommendation performance, even without access to model internals. Through DEC-POMDP modeling, centralized critics, and MAPPO training, the method outperforms strong baselines across three real-world datasets, with ablations confirming the importance of cross-community coupling, cold-start item usage, and agent coordination. The results highlight significant security risks in social recommendations and underscore the need for robust defenses against untargeted black-box attacks in practical deployment.

Abstract

The rise of online social networks has facilitated the evolution of social recommender systems, which incorporate social relations to enhance users' decision-making process. With the great success of Graph Neural Networks (GNNs) in learning node representations, GNN-based social recommendations have been widely studied to model user-item interactions and user-user social relations simultaneously. Despite their great successes, recent studies have shown that these advanced recommender systems are highly vulnerable to adversarial attacks, in which attackers can inject well-designed fake user profiles to disrupt recommendation performances. While most existing studies mainly focus on argeted attacks to promote target items on vanilla recommender systems, untargeted attacks to degrade the overall prediction performance are less explored on social recommendations under a black-box scenario. To perform untargeted attacks on social recommender systems, attackers can construct malicious social relationships for fake users to enhance the attack performance. However, the coordination of social relations and item profiles is challenging for attacking black-box social recommendations. To address this limitation, we first conduct several preliminary studies to demonstrate the effectiveness of cross-community connections and cold-start items in degrading recommendations performance. Specifically, we propose a novel framework MultiAttack based on multi-agent reinforcement learning to coordinate the generation of cold-start item profiles and cross-community social relations for conducting untargeted attacks on black-box social recommendations. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of our proposed attacking framework under the black-box setting.

Figures (11)

• Figure 1: Illustration of untargeted black-box attacks in social recommender system. The objective of attackers is to reduce the overall recommendation performance by injecting a fake user (i.e., $u_{n+1}$) with profiles, consisting of fake item profile (i.e., $\{..., v_2, v_3, ...\}$) and fake social profile (i.e., $\{..., u_1, u_{n-2}, ...\}$).
• Figure 2: Comparing the impact of different filler items (i.e., item profile) based on popularity for untargeted attacks under a black-box social recommender system (e.g., GraphSAGE with social relations). Note that the items to the right of the x-axis are more popular.
• Figure 3: Comparing the impact of different social connections (i.e., random connections, intra-community connections, and cross-community connections) on untargeted attacks under the black-box social recommender system with injecting 10 fake users.
• Figure 4: An overview of the proposed framework. It contains three key components: community partitioning, multi-agent based fake user generation, and injection attack and queries in the target recommender system.
• Figure 5: The decentralized Actor-Critic (A2C) based multi-agent reinforcement learning framework for attacking social recommendations.