Unveiling Vulnerabilities of Contrastive Recommender Systems to Poisoning Attacks
Zongwei Wang, Junliang Yu, Min Gao, Hongzhi Yin, Bin Cui, Shazia Sadiq
TL;DR
The paper identifies a vulnerability in CL-based recommender systems: the InfoNCE loss $\mathcal{L}_{cl}$ promotes global dispersion of Representations, which can be exploited by poisoning attacks targeting specific items. It provides a theoretical and empirical spectral analysis showing that CL optimization yields a smoother spectrum of singular values, motivating an attack that further homogenizes spectral values. The authors introduce CLeaR, a white-box poisoning framework formulated as a bi-level optimization with dispersion promotion and rank promotion, and demonstrate through extensive experiments on four public datasets that CLeaR outperforms baselines in exposing target items. The work highlights the need for defense mechanisms in CL-based recommenders and offers a concrete attack model to guide robust design and evaluation.
Abstract
Contrastive learning (CL) has recently gained prominence in the domain of recommender systems due to its great ability to enhance recommendation accuracy and improve model robustness. Despite its advantages, this paper identifies a vulnerability of CL-based recommender systems that they are more susceptible to poisoning attacks aiming to promote individual items. Our analysis indicates that this vulnerability is attributed to the uniform spread of representations caused by the InfoNCE loss. Furthermore, theoretical and empirical evidence shows that optimizing this loss favors smooth spectral values of representations. This finding suggests that attackers could facilitate this optimization process of CL by encouraging a more uniform distribution of spectral values, thereby enhancing the degree of representation dispersion. With these insights, we attempt to reveal a potential poisoning attack against CL-based recommender systems, which encompasses a dual-objective framework: one that induces a smoother spectral value distribution to amplify the InfoNCE loss's inherent dispersion effect, named dispersion promotion; and the other that directly elevates the visibility of target items, named rank promotion. We validate the threats of our attack model through extensive experimentation on four datasets. By shedding light on these vulnerabilities, our goal is to advance the development of more robust CL-based recommender systems. The code is available at \url{https://github.com/CoderWZW/ARLib}.