Securing Recommender System via Cooperative Training

TL;DR

This work tackles poisoning attacks in recommender systems by introducing Triple Cooperative Defense ($TCD$), a framework that trains three models jointly and uses high-confidence pseudo-labels to augment training without discarding data. It also revisits poisoning attacks, proposing Co-training Attack ($CoAttack$) to optimize on all poisoned data efficiently, and Game-based Co-training Attack ($GCoAttack$) to study attack-benefit in a game with $TCD$ as the defender. Extensive experiments on three real datasets show that $TCD$ substantially boosts robustness and that both $CoAttack$ and $GCoAttack$ outperform existing attacks, with $GCoAttack$ posing the strongest poisoning threat under cooperative training. The results provide practical defense insights and reveal the dynamics of attack-defense interactions, suggesting that game-theoretic and cooperative-training perspectives can enhance both security and performance in recommender systems.

Abstract

Recommender systems are often susceptible to well-crafted fake profiles, leading to biased recommendations. Among existing defense methods, data-processing-based methods inevitably exclude normal samples, while model-based methods struggle to enjoy both generalization and robustness. To this end, we suggest integrating data processing and the robust model to propose a general framework, Triple Cooperative Defense (TCD), which employs three cooperative models that mutually enhance data and thereby improve recommendation robustness. Furthermore, Considering that existing attacks struggle to balance bi-level optimization and efficiency, we revisit poisoning attacks in recommender systems and introduce an efficient attack strategy, Co-training Attack (Co-Attack), which cooperatively optimizes the attack optimization and model training, considering the bi-level setting while maintaining attack efficiency. Moreover, we reveal a potential reason for the insufficient threat of existing attacks is their default assumption of optimizing attacks in undefended scenarios. This overly optimistic setting limits the potential of attacks. Consequently, we put forth a Game-based Co-training Attack (GCoAttack), which frames the proposed CoAttack and TCD as a game-theoretic process, thoroughly exploring CoAttack's attack potential in the cooperative training of attack and defense. Extensive experiments on three real datasets demonstrate TCD's superiority in enhancing model robustness. Additionally, we verify that the two proposed attack strategies significantly outperform existing attacks, with game-based GCoAttack posing a greater poisoning threat than CoAttack.

Figures (9)

• Figure 1: The framework of TCD. For model $h_{i}$'s training in each round, (a) the other two models use the same collaborative training; (b) the ratings predicted the same by the other two models are taken as consistent samples; (c) model $h_{i}$ is trained on labeled samples $D_{L}$ and consistent samples.
• Figure 2: The framework of CoAttack. (a) poisoned data initialization and injection. (b) Pre-train attack model on $\mathcal{L}_{train}$. (c) Train attack model on $\mathcal{L}_{train}+\mathcal{L}_{atk}$. (d) Select these items with the highest $m$ ratings in $h(u)$ as $u$'s filler items.
• Figure 3: The framework of GCoAttack. (a) Pre-train three models on the dataset mixed initial poisoning data. (b) Cooperative train TCD and CoAttack. (c) Choose these items with the highest $m$ ratings in $h_0(u)$ as $u$'s filler items.
• Figure 4: Rank shift distribution of target items (unpopular items). The greater the rank shift, the more harmful the attack.
• Figure 5: Attack performance regarding random items under different attack sizes.