Review-Incorporated Model-Agnostic Profile Injection Attacks on Recommender Systems
Shiyi Yang, Lina Yao, Chen Wang, Xiwei Xu, Liming Zhu
TL;DR
The paper tackles data poisoning in recommender systems under resource constraints by introducing R-Trojan, a three-module transformer-based GAN that incorporates textual reviews to generate high-quality fake profiles. It formalizes a bi-level optimization that combines transferability loss $L_{trans}$ and imperceptibility loss $L_{imper}$, with lower-level RS training $L_{RS}$ and detector loss $L_{DE}$ guiding generation. Empirical results on real-world datasets show that R-Trojan substantially outperforms baselines across black-box victim RSs and demonstrates strong imperceptibility, including attacks on review-based systems. This work reveals a significant vulnerability of review-based RSs to poisoning and provides a framework for assessing attack transferability and stealth, with implications for defense strategies.
Abstract
Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks. Understanding attack tactics helps improve the robustness of RSs. We intend to develop efficient attack methods that use limited resources to generate high-quality fake user profiles to achieve 1) transferability among black-box RSs 2) and imperceptibility among detectors. In order to achieve these goals, we introduce textual reviews of products to enhance the generation quality of the profiles. Specifically, we propose a novel attack framework named R-Trojan, which formulates the attack objectives as an optimization problem and adopts a tailored transformer-based generative adversarial network (GAN) to solve it so that high-quality attack profiles can be produced. Comprehensive experiments on real-world datasets demonstrate that R-Trojan greatly outperforms state-of-the-art attack methods on various victim RSs under black-box settings and show its good imperceptibility.