Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning Attacks against Recommender Systems: A Survey

Zongwei Wang, Min Gao, Junliang Yu, Hao Ma, Hongzhi Yin, Shazia Sadiq

TL;DR

This survey provides a comprehensive, up-to-date view of Poisoning Attacks against Recommendation (PAR), introducing a tripartite taxonomy—Component-Specific, Goal-Driven, and Capability Probing—and detailing concrete attack mechanisms across input, model, and optimization dimensions. It frames PAR as a bi-level optimization problem, surveys a wide range of methods, and links them to attacker goals and capabilities, while highlighting defense-relevant considerations. A key contribution is ARLib, an open-source library with multiple PAR models and datasets to enable rapid replication, benchmarking, and cross-domain comparison. The paper also identifies critical gaps and future directions, including theoretical foundations, long-term impact assessment, and strategies for neutralization of poisoning threats in modern, multi-modal, and large-language-model–driven recommender ecosystems.

Abstract

Modern recommender systems (RS) have seen substantial success, yet they remain vulnerable to malicious activities, notably poisoning attacks. These attacks involve injecting malicious data into the training datasets of RS, thereby compromising their integrity and manipulating recommendation outcomes for gaining illicit profits. This survey paper provides a systematic and up-to-date review of the research landscape on Poisoning Attacks against Recommendation (PAR). A novel and comprehensive taxonomy is proposed, categorizing existing PAR methodologies into three distinct categories: Component-Specific, Goal-Driven, and Capability Probing. For each category, we discuss its mechanism in detail, along with associated methods. Furthermore, this paper highlights potential future research avenues in this domain. Additionally, to facilitate and benchmark the empirical comparison of PAR, we introduce an open-source library, ARLib, which encompasses a comprehensive collection of PAR models and common datasets. The library is released at https://github.com/CoderWZW/ARLib.

Poisoning Attacks against Recommender Systems: A Survey

TL;DR

This survey provides a comprehensive, up-to-date view of Poisoning Attacks against Recommendation (PAR), introducing a tripartite taxonomy—Component-Specific, Goal-Driven, and Capability Probing—and detailing concrete attack mechanisms across input, model, and optimization dimensions. It frames PAR as a bi-level optimization problem, surveys a wide range of methods, and links them to attacker goals and capabilities, while highlighting defense-relevant considerations. A key contribution is ARLib, an open-source library with multiple PAR models and datasets to enable rapid replication, benchmarking, and cross-domain comparison. The paper also identifies critical gaps and future directions, including theoretical foundations, long-term impact assessment, and strategies for neutralization of poisoning threats in modern, multi-modal, and large-language-model–driven recommender ecosystems.

Abstract

Modern recommender systems (RS) have seen substantial success, yet they remain vulnerable to malicious activities, notably poisoning attacks. These attacks involve injecting malicious data into the training datasets of RS, thereby compromising their integrity and manipulating recommendation outcomes for gaining illicit profits. This survey paper provides a systematic and up-to-date review of the research landscape on Poisoning Attacks against Recommendation (PAR). A novel and comprehensive taxonomy is proposed, categorizing existing PAR methodologies into three distinct categories: Component-Specific, Goal-Driven, and Capability Probing. For each category, we discuss its mechanism in detail, along with associated methods. Furthermore, this paper highlights potential future research avenues in this domain. Additionally, to facilitate and benchmark the empirical comparison of PAR, we introduce an open-source library, ARLib, which encompasses a comprehensive collection of PAR models and common datasets. The library is released at https://github.com/CoderWZW/ARLib.
Paper Structure (19 sections, 5 equations, 3 figures)

This paper contains 19 sections, 5 equations, 3 figures.

Table of Contents

  1. Introduction
  2. Taxonomy of Poisoning Attacks against Recommendation
  3. Preliminaries
  4. Proposed Taxonomy
  5. Component-Specific Attacks
  6. Input-Specific Attacks
  7. Recommender-Specific Attacks
  8. Optimization-Specific Attacks
  9. Goal-Driven Attacks
  10. System Degradation Attacks
  11. Targeted Manipulation Attacks
  12. Hybrid-Goal Attacks
  13. Capability Probing Attacks
  14. Knowledge-Constrained Probing Attacks
  15. Cost-Efficient Probing Attacks
  16. ...and 4 more sections

Figures (3)

  • Figure 1: The taxonomy of poisoning attacks against RS.
  • Figure 2: The illustration of the proposed three types of PAR.
  • Figure 3: The architecture of ARLib.