Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning Attacks and Defenses in Recommender Systems: A Survey

Zongwei Wang, Junliang Yu, Min Gao, Wei Yuan, Guanhua Ye, Shazia Sadiq, Hongzhi Yin

TL;DR

This survey addresses poisoning attacks in recommender systems by introducing a four-stage attacker pipeline and a two-part defense taxonomy (poisoning data filtering and robust training). It classifies attacks along goals, capabilities, victim architectures, and poisoning modalities, and reviews a wide range of defenses and evaluation metrics. Key contributions include a unified attacker perspective taxonomy, a structured defense taxonomy with detailed method mappings, and critical discussion of limitations and future directions. The work provides a practical framework for researchers and practitioners to assess, detect, and mitigate poisoning threats in both centralized and decentralized RS, with implications for improving robustness across emerging multimodal and federated scenarios.

Abstract

Modern recommender systems (RS) have profoundly enhanced user experience across digital platforms, yet they face significant threats from poisoning attacks. These attacks, aimed at manipulating recommendation outputs for unethical gains, exploit vulnerabilities in RS through injecting malicious data or intervening model training. This survey presents a unique perspective by examining these threats through the lens of an attacker, offering fresh insights into their mechanics and impacts. Concretely, we detail a systematic pipeline that encompasses four stages of a poisoning attack: setting attack goals, assessing attacker capabilities, analyzing victim architecture, and implementing poisoning strategies. The pipeline not only aligns with various attack tactics but also serves as a comprehensive taxonomy to pinpoint focuses of distinct poisoning attacks. Correspondingly, we further classify defensive strategies into two main categories: poisoning data filtering and robust training from the defender's perspective. Finally, we highlight existing limitations and suggest innovative directions for further exploration in this field.

Poisoning Attacks and Defenses in Recommender Systems: A Survey

TL;DR

This survey addresses poisoning attacks in recommender systems by introducing a four-stage attacker pipeline and a two-part defense taxonomy (poisoning data filtering and robust training). It classifies attacks along goals, capabilities, victim architectures, and poisoning modalities, and reviews a wide range of defenses and evaluation metrics. Key contributions include a unified attacker perspective taxonomy, a structured defense taxonomy with detailed method mappings, and critical discussion of limitations and future directions. The work provides a practical framework for researchers and practitioners to assess, detect, and mitigate poisoning threats in both centralized and decentralized RS, with implications for improving robustness across emerging multimodal and federated scenarios.

Abstract

Modern recommender systems (RS) have profoundly enhanced user experience across digital platforms, yet they face significant threats from poisoning attacks. These attacks, aimed at manipulating recommendation outputs for unethical gains, exploit vulnerabilities in RS through injecting malicious data or intervening model training. This survey presents a unique perspective by examining these threats through the lens of an attacker, offering fresh insights into their mechanics and impacts. Concretely, we detail a systematic pipeline that encompasses four stages of a poisoning attack: setting attack goals, assessing attacker capabilities, analyzing victim architecture, and implementing poisoning strategies. The pipeline not only aligns with various attack tactics but also serves as a comprehensive taxonomy to pinpoint focuses of distinct poisoning attacks. Correspondingly, we further classify defensive strategies into two main categories: poisoning data filtering and robust training from the defender's perspective. Finally, we highlight existing limitations and suggest innovative directions for further exploration in this field.
Paper Structure (45 sections, 3 equations, 8 figures, 2 tables)

This paper contains 45 sections, 3 equations, 8 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Victim Recommender System
  4. Attacks on Recommender Systems
  5. Defense against Poisoning Attacks
  6. Poisoning Attack and Defense Taxonomies
  7. Taxonomy of Poisoning Attacks against Recommendation
  8. Setting Attack Goals
  9. Assessing Attacker's Capability
  10. Analyzing Victim Architectures
  11. Implementing Poisoning Strategies
  12. Taxonomy of Defense against Poisoning Attacks
  13. Poisoning Data Filtering for Defense
  14. Robust Training for Defense
  15. Poisoning Attacks against Recommender Systems
  16. ...and 30 more sections

Figures (8)

  • Figure 1: The taxonomy of poisoning attacks against RS.
  • Figure 2: Poisoning attacks for system degradation and targeted manipulation.
  • Figure 3: Poisoning attacks constrained by prior knowledge, cost limitation and invisibility.
  • Figure 4: Poisoning attacks against centralized and decentralized scenario. The left side of the illustration represents centralized RS, whereas the right side depicts decentralized RS.
  • Figure 5: Poisoning attacks divided by data poisoning and model poisoning. The left is data poisoning, while the right is model poisoning.
  • ...and 3 more figures