Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LoRec: Large Language Model for Robust Sequential Recommendation against Poisoning Attacks

Kaike Zhang, Qi Cao, Yunfan Wu, Fei Sun, Huawei Shen, Xueqi Cheng

TL;DR

LoRec introduces an LLM-enhanced CalibraTor (LCT) to robustify sequential recommender systems against poisoning attacks by calibrating per-user training weights with both specific model feedback and open-world knowledge from LLMs. The LCT jointly optimizes fraud likelihood, entropy regularization, and cross-view alignment between LLM-derived signals and model-derived signals to generalize beyond known attacks. Empirical results across multiple datasets and backbones show LoRec substantially reduces attack success (target-item metrics) while maintaining high recommendation quality, outperforming baselines and even simple LLM-based detectors. This framework offers a general, plug-in defense strategy that leverages open-world knowledge to generalize fraud patterns and enhance robustness in real-world, evolving attack environments.

Abstract

Sequential recommender systems stand out for their ability to capture users' dynamic interests and the patterns of item-to-item transitions. However, the inherent openness of sequential recommender systems renders them vulnerable to poisoning attacks, where fraudulent users are injected into the training data to manipulate learned patterns. Traditional defense strategies predominantly depend on predefined assumptions or rules extracted from specific known attacks, limiting their generalizability to unknown attack types. To solve the above problems, considering the rich open-world knowledge encapsulated in Large Language Models (LLMs), our research initially focuses on the capabilities of LLMs in the detection of unknown fraudulent activities within recommender systems, a strategy we denote as LLM4Dec. Empirical evaluations demonstrate the substantial capability of LLMs in identifying unknown fraudsters, leveraging their expansive, open-world knowledge. Building upon this, we propose the integration of LLMs into defense strategies to extend their effectiveness beyond the confines of known attacks. We propose LoRec, an advanced framework that employs LLM-Enhanced Calibration to strengthen the robustness of sequential recommender systems against poisoning attacks. LoRec integrates an LLM-enhanced CalibraTor (LCT) that refines the training process of sequential recommender systems with knowledge derived from LLMs, applying a user-wise reweighting to diminish the impact of fraudsters injected by attacks. By incorporating LLMs' open-world knowledge, the LCT effectively converts the limited, specific priors or rules into a more general pattern of fraudsters, offering improved defenses against poisoning attacks. Our comprehensive experiments validate that LoRec, as a general framework, significantly strengthens the robustness of sequential recommender systems.

LoRec: Large Language Model for Robust Sequential Recommendation against Poisoning Attacks

TL;DR

LoRec introduces an LLM-enhanced CalibraTor (LCT) to robustify sequential recommender systems against poisoning attacks by calibrating per-user training weights with both specific model feedback and open-world knowledge from LLMs. The LCT jointly optimizes fraud likelihood, entropy regularization, and cross-view alignment between LLM-derived signals and model-derived signals to generalize beyond known attacks. Empirical results across multiple datasets and backbones show LoRec substantially reduces attack success (target-item metrics) while maintaining high recommendation quality, outperforming baselines and even simple LLM-based detectors. This framework offers a general, plug-in defense strategy that leverages open-world knowledge to generalize fraud patterns and enhance robustness in real-world, evolving attack environments.

Abstract

Sequential recommender systems stand out for their ability to capture users' dynamic interests and the patterns of item-to-item transitions. However, the inherent openness of sequential recommender systems renders them vulnerable to poisoning attacks, where fraudulent users are injected into the training data to manipulate learned patterns. Traditional defense strategies predominantly depend on predefined assumptions or rules extracted from specific known attacks, limiting their generalizability to unknown attack types. To solve the above problems, considering the rich open-world knowledge encapsulated in Large Language Models (LLMs), our research initially focuses on the capabilities of LLMs in the detection of unknown fraudulent activities within recommender systems, a strategy we denote as LLM4Dec. Empirical evaluations demonstrate the substantial capability of LLMs in identifying unknown fraudsters, leveraging their expansive, open-world knowledge. Building upon this, we propose the integration of LLMs into defense strategies to extend their effectiveness beyond the confines of known attacks. We propose LoRec, an advanced framework that employs LLM-Enhanced Calibration to strengthen the robustness of sequential recommender systems against poisoning attacks. LoRec integrates an LLM-enhanced CalibraTor (LCT) that refines the training process of sequential recommender systems with knowledge derived from LLMs, applying a user-wise reweighting to diminish the impact of fraudsters injected by attacks. By incorporating LLMs' open-world knowledge, the LCT effectively converts the limited, specific priors or rules into a more general pattern of fraudsters, offering improved defenses against poisoning attacks. Our comprehensive experiments validate that LoRec, as a general framework, significantly strengthens the robustness of sequential recommender systems.
Paper Structure (34 sections, 1 theorem, 19 equations, 8 figures, 5 tables)

This paper contains 34 sections, 1 theorem, 19 equations, 8 figures, 5 tables.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. Sequential Recommender System
  4. Robust Recommender System
  5. PRELIMINARY
  6. Method
  7. Overview of LoRec
  8. Sequential Recommender System
  9. LLM-enhanced Calibrator
  10. Specific Knowledge Modeling
  11. Open-world Knowledge Extraction
  12. Training Strategy of LCT
  13. Calibration for Robust Recommendation
  14. EXPERIMENTS
  15. Experimental Setup
  16. ...and 19 more sections

Key Result

proposition 1

Consider i.i.d. samples $n_0, n_1, \dots, n_{N}$ drawn from a right-skewed distribution with mean $\mu_{\mathrm{n}}$, and $z_0, z_1, \dots, z_{Z}$ drawn from either a normal distribution or a left-skewed distribution with mean $\mu_{\mathrm{f}}$. Let $\xi_{n_i}$ and $\xi_{z_j}$ represent the weight

Figures (8)

  • Figure 1: (a) Sequential recommender systems show vulnerability to attacks despite various defense strategies. (b) Utilizing LLMs' open-world knowledge to enhance defense by generalizing from specific to general patterns.
  • Figure 2: Overview of LoRec: (a) Sequential Recommender System with ID-based/Text-based item encoding; (b) LLM-enhanced Calibrator utilizes both open-world knowledge from LLMs and specific knowledge within the sequential recommender system to calibrate user weights, enhancing its robustness against poisoning attacks.
  • Figure 3: For LCT with different scenarios (hyperparameters, training epochs, or attack types), the learned probability $p_u$ for genuine users $\mathcal{U}_{n}$ and potential fraudsters $\mathcal{U}_{f}$ follow different distributions.
  • Figure 4: Ablation study
  • Figure 5: Hyperparameter analysis on Entropy Regularization $\lambda_1$ and LLM-enhanced weights $\lambda_2$
  • ...and 3 more figures

Theorems & Definitions (1)

  • proposition 1