Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ID-Free Not Risk-Free: LLM-Powered Agents Unveil Risks in ID-Free Recommender Systems

Zongwei Wang, Min Gao, Junliang Yu, Xinyi Gao, Quoc Viet Hung Nguyen, Shazia Sadiq, Hongzhi Yin

TL;DR

The paper investigates security risks in ID-free recommender systems and demonstrates that LLM-powered agents can manipulate item text to promote low-quality items via a black-box attack called TextSimu. TextSimu combines a popularity-based text rewriting strategy with a two-stage multi-agent collaboration framework to produce persuasive, high-quality deceptive content, achieving strong attack performance across multiple ID-free models and datasets. To counter this threat, the authors propose RewriteDetection, which uses text segmentation and LLM-based continuation prediction to detect generated content and assess potential malicious promotion via comparison of recommendation outcomes. Empirical results on three real-world datasets show TextSimu's effectiveness and RewriteDetection's practicality, underscoring the need for security mechanisms in ID-free recommender systems and motivating future work on robust defenses against text-based manipulation.

Abstract

Recent advances in ID-free recommender systems have attracted significant attention for effectively addressing the cold start problem. However, their vulnerability to malicious attacks remains largely unexplored. In this paper, we unveil a critical yet overlooked risk: LLM-powered agents can be strategically deployed to attack ID-free recommenders, stealthily promoting low-quality items in black-box settings. This attack exploits a novel rewriting-based deception strategy, where malicious agents synthesize deceptive textual descriptions by simulating the characteristics of popular items. To achieve this, the attack mechanism integrates two primary components: (1) a popularity extraction component that captures essential characteristics of popular items and (2) a multi-agent collaboration mechanism that enables iterative refinement of promotional textual descriptions through independent thinking and team discussion. To counter this risk, we further introduce a detection method to identify suspicious text generated by our discovered attack. By unveiling this risk, our work aims to underscore the urgent need to enhance the security of ID-free recommender systems.

ID-Free Not Risk-Free: LLM-Powered Agents Unveil Risks in ID-Free Recommender Systems

TL;DR

The paper investigates security risks in ID-free recommender systems and demonstrates that LLM-powered agents can manipulate item text to promote low-quality items via a black-box attack called TextSimu. TextSimu combines a popularity-based text rewriting strategy with a two-stage multi-agent collaboration framework to produce persuasive, high-quality deceptive content, achieving strong attack performance across multiple ID-free models and datasets. To counter this threat, the authors propose RewriteDetection, which uses text segmentation and LLM-based continuation prediction to detect generated content and assess potential malicious promotion via comparison of recommendation outcomes. Empirical results on three real-world datasets show TextSimu's effectiveness and RewriteDetection's practicality, underscoring the need for security mechanisms in ID-free recommender systems and motivating future work on robust defenses against text-based manipulation.

Abstract

Recent advances in ID-free recommender systems have attracted significant attention for effectively addressing the cold start problem. However, their vulnerability to malicious attacks remains largely unexplored. In this paper, we unveil a critical yet overlooked risk: LLM-powered agents can be strategically deployed to attack ID-free recommenders, stealthily promoting low-quality items in black-box settings. This attack exploits a novel rewriting-based deception strategy, where malicious agents synthesize deceptive textual descriptions by simulating the characteristics of popular items. To achieve this, the attack mechanism integrates two primary components: (1) a popularity extraction component that captures essential characteristics of popular items and (2) a multi-agent collaboration mechanism that enables iterative refinement of promotional textual descriptions through independent thinking and team discussion. To counter this risk, we further introduce a detection method to identify suspicious text generated by our discovered attack. By unveiling this risk, our work aims to underscore the urgent need to enhance the security of ID-free recommender systems.
Paper Structure (25 sections, 5 equations, 3 figures, 5 tables)

This paper contains 25 sections, 5 equations, 3 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Investigating Vulnerabilities of ID-Free Recommender Systems
  3. ID-Free Recommendation
  4. Experiments and Findings
  5. Impact of Injection Attacks
  6. Impact of Text Attacks
  7. Methodologies
  8. Preliminaries
  9. Naive LLM-Powered Agent Attack
  10. TextSimu: Text Simulation Attack
  11. Popularity Extraction
  12. Multi-Agent Collaboration.
  13. Defense Method
  14. Experiments
  15. Experimental Settings
  16. ...and 10 more sections

Figures (3)

  • Figure 1: ID-based and ID-free recommendation paradigms.
  • Figure 2: The comparison of text attacks and injection attacks against ID-free recommendation on the dataset Beauty. The attack size represents the ratio of the number of malicious users to the total number of users.
  • Figure 3: The framework of TextSimu.