Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Uplift Modeling for Target User Attacks on Recommender Systems

Wenjie Wang, Changsheng Wang, Fuli Feng, Wentao Shi, Daizong Ding, Tat-Seng Chua

TL;DR

This work identifies that conventional injective attackers overlook the fact that each item has its unique potential audience, and meanwhile, the attack difficulty across different users varies, and proposes an Uplift-guided Budget Allocation (UBA) framework, which estimates the treatment effect on each target user and optimizes the allocation of fake user budgets to maximize the attack performance.

Abstract

Recommender systems are vulnerable to injective attacks, which inject limited fake users into the platforms to manipulate the exposure of target items to all users. In this work, we identify that conventional injective attackers overlook the fact that each item has its unique potential audience, and meanwhile, the attack difficulty across different users varies. Blindly attacking all users will result in a waste of fake user budgets and inferior attack performance. To address these issues, we focus on an under-explored attack task called target user attacks, aiming at promoting target items to a particular user group. In addition, we formulate the varying attack difficulty as heterogeneous treatment effects through a causal lens and propose an Uplift-guided Budget Allocation (UBA) framework. UBA estimates the treatment effect on each target user and optimizes the allocation of fake user budgets to maximize the attack performance. Theoretical and empirical analysis demonstrates the rationality of treatment effect estimation methods of UBA. By instantiating UBA on multiple attackers, we conduct extensive experiments on three datasets under various settings with different target items, target users, fake user budgets, victim models, and defense models, validating the effectiveness and robustness of UBA.

Uplift Modeling for Target User Attacks on Recommender Systems

TL;DR

This work identifies that conventional injective attackers overlook the fact that each item has its unique potential audience, and meanwhile, the attack difficulty across different users varies, and proposes an Uplift-guided Budget Allocation (UBA) framework, which estimates the treatment effect on each target user and optimizes the allocation of fake user budgets to maximize the attack performance.

Abstract

Recommender systems are vulnerable to injective attacks, which inject limited fake users into the platforms to manipulate the exposure of target items to all users. In this work, we identify that conventional injective attackers overlook the fact that each item has its unique potential audience, and meanwhile, the attack difficulty across different users varies. Blindly attacking all users will result in a waste of fake user budgets and inferior attack performance. To address these issues, we focus on an under-explored attack task called target user attacks, aiming at promoting target items to a particular user group. In addition, we formulate the varying attack difficulty as heterogeneous treatment effects through a causal lens and propose an Uplift-guided Budget Allocation (UBA) framework. UBA estimates the treatment effect on each target user and optimizes the allocation of fake user budgets to maximize the attack performance. Theoretical and empirical analysis demonstrates the rationality of treatment effect estimation methods of UBA. By instantiating UBA on multiple attackers, we conduct extensive experiments on three datasets under various settings with different target items, target users, fake user budgets, victim models, and defense models, validating the effectiveness and robustness of UBA.
Paper Structure (27 sections, 2 theorems, 3 equations, 10 figures, 9 tables, 1 algorithm)

This paper contains 27 sections, 2 theorems, 3 equations, 10 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Task Formulation
  4. Uplift-guided Budget Allocation
  5. Treatment Effect Estimation
  6. Budget-constrained Treatment Optimization
  7. Experiments
  8. Target User Attack Performance
  9. Defense Against Target User Attacks (RQ3).
  10. Conclusion and Future Work
  11. Method
  12. Correlation Analysis via Experiments
  13. Theoretical Analysis of Proposition 1
  14. Theoretical Analysis of Proposition 2
  15. Dynamic Programming Algorithm
  16. ...and 12 more sections

Key Result

Proposition 1

Given a user and an item without historical interactions, their prediction score by a CF model is positively correlated with their three-orderWe find that the correlation exists with multiple different order numbers (see Appendix Section appendix:correlation_exp). To keep simplicity, we select the s

Figures (10)

  • Figure 1: Illustration of injective attacks on all users and target users (a) and varying attack difficulty on two users (b), where one fake user may cause different uplifts of the recommendation probabilities.
  • Figure 2: Illustration of two estimation methods and the correlation analysis from a causal view, and (b) correlation visualization between three-order path numbers of user-item pairs and their prediction scores by MF, where the correlation coefficients $r=0.9998\approx 1$ and $p=6e^{-86}\ll0.001$ via the Spearman Rank Correlation Test spearman validate the strong correlation (see similar correlation on more CF models in Appendix Section \ref{['appendix:correlation_exp']}).
  • Figure 3: Performance comparison w.r.t. HR@10 under different attack budgets.
  • Figure 4: Generalization of UBA w.r.t. HR@10 across different victim models.
  • Figure 5: Case study about the budget allocation on five target users. UBA allocates fake users more wisely to maximize the overall recommendation probability than Target.
  • ...and 5 more figures

Theorems & Definitions (2)

  • Proposition 1
  • Proposition 2