Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Accelerating the Surrogate Retraining for Poisoning Attacks against Recommender Systems

Yunfan Wu, Qi Cao, Shuchang Tao, Kaike Zhang, Fei Sun, Huawei Shen

TL;DR

This paper addresses the inefficiency of data poisoning attacks on recommender systems caused by repetitive retraining of a surrogate model. It introduces Gradient Passing (GP), a gradient-based messaging mechanism that passes gradient signals between interacted user–item pairs to mimic the cascading effects on the user–item graph, enabling a single update to approximate multiple training iterations. The authors provide theoretical justification under BCE loss and demonstrate that integrating GP into state-of-the-art attacks (e.g., RAPU-R and DPA2DL) yields substantial gains in attack effectiveness while reducing training time across three real-world datasets and six victim recommenders. The findings suggest GP not only strengthens poisoning attacks by providing better feedback for fake-user optimization but also offers a practical direction for faster, more scalable attack evaluation and potential extensions to other learning tasks. They also discuss defense by securing interaction data to mitigate leakage-based attacks and point to future work on applying GP to broader training scenarios and sequential recommendations.

Abstract

Recent studies have demonstrated the vulnerability of recommender systems to data poisoning attacks, where adversaries inject carefully crafted fake user interactions into the training data of recommenders to promote target items. Current attack methods involve iteratively retraining a surrogate recommender on the poisoned data with the latest fake users to optimize the attack. However, this repetitive retraining is highly time-consuming, hindering the efficient assessment and optimization of fake users. To mitigate this computational bottleneck and develop a more effective attack in an affordable time, we analyze the retraining process and find that a change in the representation of one user/item will cause a cascading effect through the user-item interaction graph. Under theoretical guidance, we introduce \emph{Gradient Passing} (GP), a novel technique that explicitly passes gradients between interacted user-item pairs during backpropagation, thereby approximating the cascading effect and accelerating retraining. With just a single update, GP can achieve effects comparable to multiple original training iterations. Under the same number of retraining epochs, GP enables a closer approximation of the surrogate recommender to the victim. This more accurate approximation provides better guidance for optimizing fake users, ultimately leading to enhanced data poisoning attacks. Extensive experiments on real-world datasets demonstrate the efficiency and effectiveness of our proposed GP.

Accelerating the Surrogate Retraining for Poisoning Attacks against Recommender Systems

TL;DR

This paper addresses the inefficiency of data poisoning attacks on recommender systems caused by repetitive retraining of a surrogate model. It introduces Gradient Passing (GP), a gradient-based messaging mechanism that passes gradient signals between interacted user–item pairs to mimic the cascading effects on the user–item graph, enabling a single update to approximate multiple training iterations. The authors provide theoretical justification under BCE loss and demonstrate that integrating GP into state-of-the-art attacks (e.g., RAPU-R and DPA2DL) yields substantial gains in attack effectiveness while reducing training time across three real-world datasets and six victim recommenders. The findings suggest GP not only strengthens poisoning attacks by providing better feedback for fake-user optimization but also offers a practical direction for faster, more scalable attack evaluation and potential extensions to other learning tasks. They also discuss defense by securing interaction data to mitigate leakage-based attacks and point to future work on applying GP to broader training scenarios and sequential recommendations.

Abstract

Recent studies have demonstrated the vulnerability of recommender systems to data poisoning attacks, where adversaries inject carefully crafted fake user interactions into the training data of recommenders to promote target items. Current attack methods involve iteratively retraining a surrogate recommender on the poisoned data with the latest fake users to optimize the attack. However, this repetitive retraining is highly time-consuming, hindering the efficient assessment and optimization of fake users. To mitigate this computational bottleneck and develop a more effective attack in an affordable time, we analyze the retraining process and find that a change in the representation of one user/item will cause a cascading effect through the user-item interaction graph. Under theoretical guidance, we introduce \emph{Gradient Passing} (GP), a novel technique that explicitly passes gradients between interacted user-item pairs during backpropagation, thereby approximating the cascading effect and accelerating retraining. With just a single update, GP can achieve effects comparable to multiple original training iterations. Under the same number of retraining epochs, GP enables a closer approximation of the surrogate recommender to the victim. This more accurate approximation provides better guidance for optimizing fake users, ultimately leading to enhanced data poisoning attacks. Extensive experiments on real-world datasets demonstrate the efficiency and effectiveness of our proposed GP.
Paper Structure (26 sections, 2 theorems, 11 equations, 5 figures, 6 tables, 1 algorithm)

This paper contains 26 sections, 2 theorems, 11 equations, 5 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Recommender System
  4. Attack against Recommender System
  5. Retraining of Recommender System
  6. Preliminaries
  7. Recommender System
  8. Poisoning Attack against Recommenders
  9. Methodology
  10. Intuitive Discussion
  11. Theoretical Analysis
  12. Gradient Passing Strategy
  13. Experiments
  14. Experimental Settings
  15. Datasets
  16. ...and 11 more sections

Key Result

lemma 1

Let $\bm{R}=\text{vstack}(\bm{r}_{\mathsf{u}_1}, \cdots, \bm{r}_{\mathsf{u}_n}, \bm{r}_{\mathsf{i}_1}, \cdots, \bm{r}_{\mathsf{i}_m}) \in \mathbb{R}^{(n+m) \times d}$ denote the representation matrix for all users and items. The gradient $\nabla_{\bm{R}} \mathcal{L}_\text{rec}$ can be derived throug

Figures (5)

  • Figure 1: Retraining surrogate model is an important and time-consuming part of poisoning attacks.
  • Figure 2: Representation optimization in a surrogate recommender over two iterations: comparing SGD alone (blue) to SGD with GP (green). GP accelerates retraining to the convergence state by passing gradients between interacted user-item pairs.
  • Figure 3: Comparison of gradient similarity between interacted and random user-item pairs.
  • Figure 4: Jaccard Similarity between the surrogate and victim recommenders across various retraining epochs, on Gowalla.
  • Figure 5: Hyperparameter Analysis on Gowalla.

Theorems & Definitions (2)

  • lemma 1
  • proposition 1